The final numbers are quite impressive:
- 6 bugs in the Windows operating system
- 5 bug in the OS X operation system
- 4 bugs in Adobe Flash
- 3 bugs in Apple Safari
- 2 bugs in Microsoft Edge
- 1 bug in Google Chrome (duplicate of a previously submitted bug)
- $460,000 USD bounty paid out to researchers
What is the methodology of this competition?
Would only direct attacks?
It’s all about finding previously unknown exploitable bugs, or, as it is sandboxed software, chains of bugs. I guess every researcher has its own method for finding them.
If an exploited bug is already known, the contestant gets no money for that bug, but for the other bugs that were found (see Chrome, day one).
You find rules etc. here.