At the first day of Pwn2Own Berlin 2026, safety researchers amassed $523,000 in money awards after exploiting 24 distinctive zero-days.
Nowadays’s spotlight used to be Orange Tsai’s strive, who used to be awarded $175,000 in rewards after chaining 4 common sense insects to succeed in a sandbox break out on Microsoft Edge.
Home windows 11 used to be additionally hacked thrice via Angelboy and TwinkleStar03 (running with the DEVCORE Internship Program), Marcin Wiązowski, and Kentaro Kawane of GMO Cybersecurity, every incomes $30,000 in money rewards for demonstrating new privilege escalation zero-days.
Valentina Palmiotti (chompie) of IBM X-Drive Offensive Analysis (XOR) additionally amassed $20,000 after rooting Pink Hat Linux for Workstations and every other $50,000 for a zero-day within the NVIDIA Container Toolkit.
Different a success makes an attempt come with k3vg3n chaining 3 insects to take down LiteLLM ($40,000), Satoki Tsuji and haehae exploiting NVIDIA Megatron Bridge zero-days ($20,000), Compass Safety and maitai of Doyensec hacking OpenAI’s Codex coding agent (every incomes $40,000), haehae shedding a Chroma zero-day ($20,000), and STARLabs SG a LM Studio zero-day ($40,000).
The DEVCORE Analysis Staff is now main the contest with $205,000, adopted via Valentina Palmiotti with $70,000.
The Pwn2Own Berlin 2026 hacking contest, which makes a speciality of endeavor applied sciences and synthetic intelligence, takes position on the OffensiveCon convention from Would possibly 14 to Would possibly 16.
On the second one day, the competition will even try to exploit zero-days in Microsoft SharePoint, Microsoft Trade, Home windows 11, Apple Safari, Cursor, Pink Hat Undertaking Linux for Workstations, LM Studio, OpenAI Codex, LiteLLM, Anthropic Claude Code, and Mozilla Firefox.
Safety researchers concentrated on absolutely patched merchandise within the internet browser, virtualization, native privilege escalation, servers, endeavor programs, cloud-native/container, native inference, and LLM classes can earn over $one million in money and prizes.
In step with Pwn2Own’s laws, all centered units run the newest running device variations, and all entries should compromise the objective and reveal arbitrary code execution.
After the zero-day flaws are disclosed all through the Pwn2Own pageant, distributors have 90 days to unencumber safety fixes for his or her device and {hardware} merchandise.
Final yr, TrendMicro’s 0 Day Initiative awarded 1,078,750 for 29 zero-day vulnerabilities and some computer virus collisions.
Automatic pentesting equipment ship actual price, however they had been constructed to respond to one query: can an attacker transfer during the community? They weren’t constructed to check whether or not your controls block threats, your detection laws hearth, or your cloud configs cling.
This information covers the 6 surfaces you if truth be told wish to validate.
Obtain Now
