With Black Hat USA 2023 looming, it’s time to start thinking about the Oscars of cybersecurity, the Pwnie Awards. The statuettes will be handed out live in Las Vegas on Wednesday, Aug. 9, at 6:30 pm – with the exception of this year’s Lifetime Achievement Pwnie, which was awarded at the Summercon hackers’ meetup in Brooklyn, New York on July 14, when the other nominees were announced.
Margin Research’s Sophia d’Antoine and Ian Roos presented the nominees. Roos said of the over 80 nominations and 30 finalists, “All those have research papers attached to them, so if you feel like we didn’t do an effective job of characterizing how important your special bug was, it’s because we didn’t.”
Now onto the nominees, in list format for brevity. First comes the name of the bug; then the nominee; and then a brief explanation of what it is, all separated by semicolons. Where it exists, commentary appears at the end of the bullet item.
Best Desktop Bug
Best Mobile Bug (Lol RIP)
For this category, the spreadsheet had two entries:
The first entry is pretty clear. As d’Antoine explained, “Over the last few years, we’ve seen a decrease in the amount of bugs nominated for the Pwnie Awards, but also just publicized online, related to mobile specifically.”
The second is more cryptic. It apparently alludes to this Vice article from 2022, as the writer of that piece pointed out from what looks like the fifth row at Summercon. One might have to squint to see this as implying a favorable opinion of NSO Group, though.
Best Cryptographic Attack
Best Song
Roos apologized for not having the time to play the songs, then offered to beatbox them before demurring, “I know I’m dressed for the part, but it’s not going to deliver.”
“Shout out to Hugo [Fortier] from Recon for taking the time to submit, like, 10 songs in this category,” D’Antoine said. “It takes the community to make the Pwnie Awards happen.”
Most Innovative Research
As Roos pointed out, “A lot of these were from Recon as well.”
Most Under-Hyped Research
Best Privilege Escalation
Best Remote Code Execution
Lamest Vendor
Most Epic Fail
Epic Achievement
Lifetime Achievement Award Winner: Mudge
Last year, the team presented an extra statuette to Dino Dai Zovi, founder of the Pwnie Awards, as the ceremony’s first lifetime achievement award. “We decided we’re going to keep doing that,” Roos said in Brooklyn last week. “If you haven’t already guessed, we’re going to give the 2023 Lifetime Achievement Award for the Pwnie Awards to Mudge. Where’s Mudge? Is he in the green room?”
D’Antoine added, “We know he’s here.”
After a few moments, Mudge — sometimes called Peiter Zatko, the L0pht hacker who grew up to work for DARPA, Google, Stripe, and, most notoriously, Twitter, before accepting his current role at Rapid7 — came out from backstage, wearing a short-sleeve raglan tee and black jeans.
Roos said, “This is a lifetime achievement award for everything you’ve done to create the industry and put it into a place where it exists and it’s real. So, thank you.”
Mudge hugged Roos, then held up his Pwnie and said (off mic) “Thank you.”
On mic, Mudge said, “It’s the community, and it’s everybody else who’s enabled all of this, and I love this community. This means a lot to me. … You’ve always been there, and I hope I’ve been there for you.”