A new hacking contest has caused a social media kerfuffle over allegations of rule copying and plagiarism.
Wiz, the cloud-security shop that agreed to acquire for $32 billion (pending approvals), on Tuesday announced its new cloud-hacking competition called Zero Day Cloudwith a $4.5 million prize pool. The competition is open to hackers who can find and exploit a 0-click remote code execution (RCE) or container escape vulnerability in any of the 20 open-source projects that power the major cloud platforms.
Contestants have until December 1 to submit their entries, and those accepted will be invited to demonstrate their exploits on stage in London on December 10 and 11. If a demo succeeds, Wiz validates and discloses to maintainers, and the researchers win a payout ranging from $10,000 to $300,000 depending on the target.
And, according to Trend Micro’s Zero Day Initiative, which hosts Pwn2Own – one of the world’s biggest hacking contests – Wiz’s Zero Day Cloud rules look eerily similar to its own.
“Hey Wiz – congrats on starting your own contest,” Dustin Childs, ZDI head of threat awareness, posted on social media. “But uh … did you have to cut/paste sections of the rules from Trend Zero Day Initiative? Seems like you should at least run that through ChatGPT to reword it. I guess imitation is the sincerest form of plagiarism.”
In true infosec geek fashion, this was met by memesand reposted by Trend, which invited Wiz to join the fun at Pwn2Own Ireland, which begins October 21 with a $1 million bounty on the line for a 0-click WhatsApp RCE.
“Bring your best, but maybe don’t copy our rules next time and we can help you judge the entries ;),” Trend snarked.
Wiz declined to answer The Register‘s questions, including whether the contest organizers cut-and-pasted Pwn2Own’s rules, and instead directed us to its response posted Friday:
The Register caught up with Childs on Friday to get his viewpoint on the new contest. When Wiz first announced the competition, Childs said he and the other ZDI threat hunters were “intrigued.”
“We’ve been putting on Pwn2Own for so many years,” and Wiz’s Zero Day Cloud looked like an “interesting competition with some interesting targets,” he said. “And then we read the rules, and they looked incredibly familiar to us because the rules were, in large part, we’ll just say borrowed from Pwn2Own rules.”
This includes giving each contestant up to three attempts to succeed, and each of the three attempts is limited to 10 minutes.
“Obviously, the ZDI has no exclusivity on writing a hacking competition,” Childs said. “We make no claim on running a Pwn2Own-style competition either – anyone can do that.”
However, ZDI’s rules were developed over the contest’s 15-year history – the time limit, for example, was set after a competitor ran the same exploit for a couple of hours on stage – “and there’s a story behind every rule,” Childs said.
“So it was a little frustrating to see it used that way, especially coming from them. But I’m still intrigued by the contest, I still want to see the outcome, and who knows, maybe we will participate with some of our own researchers.”
Other security researchers weighed in online, and the general consensus seems to be “it’s better for everyone if there are more competitions.”
Childs said he agrees with this sentiment. “Any hacking competition is a good idea. Hopefully it’ll get bugs to vendors to be fixed before they’re used in the wild. That’s our goal. And competition drives innovation. So maybe they’ll do something that we’ll see and like, and say, hey, we can innovate like that too, or we can, or it’ll push us to do more.”
He’s also looking forward to seeing how Zero Day Cloud’s rules evolve between now and the December contest, and in years to come.
“Maybe they’ll learn something that’s really good,” Childs said. “And we could borrow that for our rules, too.” ®
