The organizers of the Pwn2Own hacking competition held at the annual CanSecWest security conference have upped the prize pool to $US560,000 and will now be offering prizes for hacking web plug-ins from Adobe and Oracle. The contest, which dropped mobile phone hacking last year, has added web plug-in hacking to the prize pool. …
"If the full exploit & technique are shared with the vendor, we will probably *not* enter.."
At first I thought that comment was a little selfish, especially if you get 100k for a demo. Then however, you ONLY get 100k for a demo, and that seems like an extremely fair price for a demo. The demo will lean heavily with hints on how to fix the problem, so 100k might be too cheap! Not too mention, the respective company got of really cheap for what could of been millions in R&D. So I can see why honest people wouldn't want to disclose the entire process, which is essentially doing a possible multi-million dollar job for just a crumb of the cake.
Re: Cake crumbs?
That's a big part of the problem it's kind of like a medical company that has found the cure for a disease but also makes drugs to treat the disease itself. They make more money in the long run treating the symptoms than actually curing the disease or in this case of security researchers selling prevention and detection tools, consulting services, selling the tools to exploit themselves versus telling the vendors how to fix the problems directly.
I understand the financial motivation of not wanting to disclose it all, but I think the real purpose of these competitions is for vendors to learn about potential weaknesses and ultimately FIX the problems to make the product better for everyone. Your getting cash, prizes, the priceless free publicity from the event, plus the good karma from helping make the products safer for the masses. I think all that should be more than enough to compensate you for telling them how you pwned their product but I guess that's why I'm not filthy rich... :-)