Russian researcher Alisa Shevchenko, who is also known Alisa Esage, was awarded a partial win in her attempt, with the organisers, the Zero Day Initiative which is owned by security vendor Trend Micro, saying: "Despite the great demonstration (replete with ASCII art), the bug used by Alisa had been reported to the ZDI prior to the contest, making this a partial win.
"It's still great work, and we're thrilled she broke ground as the 1st woman to participate as an independent researcher in Pwn2Own history. Her efforts do result in two points towards Maser of Pwn."
In what delightful ways will the Internet greet me in my mentions with fresh hatred from angry little men who directly benefit from my work, & have for the majority if not the entirety of their careers?
— Katie Moussouris (she/her) is getting vaccinated (@k8em0) April 11, 2021
The fact they don’t know it is in itself proof our industry diminishes women. pic.twitter.com/ETmltDHCI4
However, some researchers were not happy with this decision, in particular Katie Moussouris, the owner of Luta Security and a well-known figure in the infosec community, who felt that Esage should have been paid the full bounty due.
|
|
So if you’re running a bug bounty that’s plagued with duplicates & wondering what to do - don’t look at your payment policies & NDA philosophy before giving yourself a hard technical look in the mirror 1st.
— Katie Moussouris (she/her) is getting vaccinated (@k8em0) April 11, 2021
Dupes are a big worry of programs that haven’t invested enough internally pic.twitter.com/OPsHDoUKI1
Moussouris offered to pay the bounty for Esage. She was somewhat agitated over what had happened, saying: "Douche noodles who demand to know why I’m not offering to pay for male partial wins in Pwn2own: I don’t owe you a debate. If someone supports a cause, is it cool to angrily demand they support all other causes equally? I’ve witnessed a partial win for a male get paid more."
And she went on: "In a hacking contest, it doesn’t need to be complicated to pay fairly & transparently. If you hack into a fully patched system, you win. Like the real world Prize payment contingent upon whether every bug in an exploit is already privately known to the vendor just breeds distrust.
"Since it’s entirely up to them [meaning ZDI] to pay or not, they could just pay for anything that’s not a dupe with other contestants, & offer 50% for IN-CONTEST dupes with the ability for ppl to get the full prize if they submit a new PoC with dupes replaced later. How much later? WHO CARES."
Last year, Moussouris set up a Pay Equity Now foundation which "emerged out of a pursuit to inspire and support efforts to close the gender and racial pay gaps, and a desire for actions to speak louder than words".
She deleted some of her later tweets, one of which is on the right.
Participants in the Pwn2Own contest are faced with a standard, patched vanilla configuration of the system they are targeting. The hardware is not known to them and they have 20 minutes to attack the target during the competition.
Another well-known researcher, Charlie Miller, said: "When did pwn2own rules change to 'the vendor can’t know about it'? When I was participating, there were some crazy rules, but when I got a shell, I knew I won. It didn’t matter what the vendor knew. In fact, I think they knew about one of my bugs and I still got paid..."
This year's contest had 23 separate entries targeting 10 different products in the categories of Web browsers, virtualisation, servers, local escalation of privilege and enterprise communications.
A total of US$1.21 million (A$1.58 million) was paid out as bounties in all.
