🤯 Hackers Win $1.3M! Zero-Day Chaos 💥

Pwn2Own Berlin 2026: A Record-Breaking Hacking Competition
The Pwn2Own Berlin 2026 hacking contest concluded with a remarkable achievement: security researchers collectively earning $1,298,250 in rewards for exploiting a total of 47 zero-day vulnerabilities. This highly competitive event, held from May 14th to May 16th as part of OffensiveCon, focused specifically on enterprise technologies and artificial intelligence, providing a crucial testing ground for security defenses. Participants targeted a diverse range of products, including web browsers, enterprise applications, virtualization platforms, local privilege escalation techniques, cloud-native environments, container technologies, and Large Language Models (LLMs). The sheer volume and complexity of the challenges highlight the ongoing need for robust security measures across these critical systems. The competition’s success underscores the importance of proactive vulnerability research and the collaborative efforts between security researchers and vendors.

Dominant Performances and Notable Rewards
The competition witnessed several standout performances, culminating in DEVCORE taking the top prize with 50.5 Master of Pwn points and a substantial reward of $505,000. DEVCORE’s success was built upon exploiting multiple vulnerabilities in Microsoft SharePoint, Microsoft Exchange, Microsoft Edge, and Windows 11. Following closely behind was STARLabs SG, earning $242,500 (25 points), and Out Of Bounds, securing $95,750 (12.75 points). The highest individual reward of $200,000 was awarded to Cheng-Da Tsai (Orange Tsai) of the DEVCORE Research Team for a particularly complex exploit chain. Tsai’s work involved chaining three bugs to achieve remote code execution with SYSTEM privileges within Microsoft Exchange. Other significant rewards included $175,000 to Tsai for a sandbox escape in Microsoft Edge, involving the chaining of four logic bugs, and $70,000 to Valentina Palmiotti (chompie) of IBM X-Force Offensive Research for rooting Red Hat Linux for Workstations and uncovering a zero-day in the NVIDIA Container Toolkit.

Post-Event Protocol and Vendor Response
Following the conclusion of Pwn2Own Berlin 2026, vendors are granted a 90-day window to release security patches addressing the discovered vulnerabilities. This timeline is managed by TrendMicro’s Zero Day Initiative (ZDI), which strategically decides when to publicly disclose the vulnerabilities. Historically, the ZDI has played a critical role in accelerating the patching process. The 2024 Pwn2Own Berlin contest, won by STAR Labs SG, saw ZDI award a staggering $1,078,750 for 29 zero-day flaws and several bug collisions, demonstrating the potential impact of these events on the broader security landscape. The ongoing cycle of vulnerability discovery, competition, and vendor response is a cornerstone of modern cybersecurity, driving continuous improvement in system security and safeguarding against emerging threats.