In a nutshell, competitors have to demonstrate remote code execution with minimal user interaction. The first to succeed wins the attacked device (laptop or mobile phone), $US10,000 cash, and certain benefits.
This year's targets are Microsoft Internet Explorer 8 on Windows 7, Mozilla Firefox 3 on Windows 7, Google Chrome 4 on Windows 7, and Safari 4 on Mac OS X Snow Leopard.
That's for the first day of competition. Windows 7 is replaced with Vista on day two, and XP on day three.
On the mobile phone side, the targets are iPhone (3GS), BlackBerry (Bold 9700), Symbian S60 (Nokia), and Android (Motorola).
What's wrong with media coverage of the Pwn2Own results? Please read on.
Don't be fooled by anyone that tries to downplay the winning exploits with statements like "but I never visit untrustworthy sites." There have been sufficient attacks where content has been modified in some way or malicious ads loaded onto servers to rule that out as a security strategy. Even bona fide government sites have been hacked.
There are two main problems with the coverage you'll see this week.
Firstly, it's almost certain that we'll see headlines along the lines of "iPhone first to fall in Pwn2Own hacking competition".
Why? Because the organisers have a random draw to determine the order in which competitors get to show their stuff, and the first spot has gone to a pair targeting the iPhone.
The second competitor is 2008 and 2009 winner Charlie Miller, who is again targeting Safari. (Yes, Miller was first to go in 2009, but Safari, Internet Explorer 8 and Firefox were all compromised in the same round of the competition.)
Why does that matter? What's the second problem? See page 3.
And that brings us to the second problem. A considerable number of commentators made a big deal about the way Miller took less than two minutes to compromise Safari last year. How long do you think it takes to use an exploit?
It's not as if competitors are put in a closed room with a browser and operating system they've never seen before. Entrants typically spend weeks or months looking for flaws and then working out how they can be exploited.
So they arrive at the conference with a ready-made exploit, and typically all that's needed is to type a URL into the browser.
Consequently, there's no point in trying to read anything into how 'quickly' any entrant appears to defeat any of the platforms.
In the hope of staving off ill-informed comments (informed and thoughtful comments are always welcome, even if they take a contrary view), I'll close with a recap: the vulnerabilities revealed by the Pwn2Own contest almost certainly represent genuine security threats, but the nature of the competition means that neither the order in which the browsers are defeated nor the time taken to use an exploit tells us anything about their relative security.