On the inaugural day of Pwn2Own Berlin 2026, a remarkable total of 3,000 was awarded to security researchers who successfully exploited 24 unique zero-day vulnerabilities. This event, which is a highlight in the cybersecurity calendar, showcases the ingenuity and skill of participants in identifying and addressing potential threats to enterprise technologies and artificial intelligence.
Notable Achievements
Among the standout performances was that of Orange Tsai, who garnered 5,000 after ingeniously chaining four logic bugs to achieve a sandbox escape on Microsoft Edge. This impressive feat underscores the ongoing challenges faced by major software platforms in maintaining security integrity.
Windows 11 also came under scrutiny, with three successful hacks executed by Angelboy and TwinkleStar03, Marcin WiÄ…zowski, and Kentaro Kawane of GMO Cybersecurity. Each of these researchers earned ,000 for demonstrating new privilege escalation zero-days, highlighting the persistent vulnerabilities within widely used operating systems.
Valentina Palmiotti, known in the community as chompie, made significant strides as well, collecting ,000 for rooting Red Hat Linux for Workstations and an additional ,000 for a zero-day in the NVIDIA Container Toolkit. Her contributions reflect the critical importance of addressing vulnerabilities in both operating systems and development tools.
Other notable exploits included:
- k3vg3n, who chained three bugs to take down LiteLLM, earning ,000.
- Satoki Tsuji and haehae, who exploited NVIDIA Megatron Bridge zero-days for a reward of ,000.
- Compass Security and maitai of Doyensec, who successfully hacked OpenAI’s Codex coding agent, each earning ,000.
- haehae, who dropped a Chroma zero-day, securing another ,000.
- STARLabs SG, who exploited a LM Studio zero-day for ,000.
The DEVCORE Research Team currently leads the competition with a total of 5,000 in earnings, followed closely by Valentina Palmiotti with ,000. This competitive atmosphere fosters innovation and collaboration among researchers, pushing the boundaries of cybersecurity.
The Pwn2Own Berlin 2026 contest is being held at the OffensiveCon conference from May 14 to May 16, where participants will continue to target zero-days in a variety of platforms, including Microsoft SharePoint, Microsoft Exchange, and Apple Safari, among others. The stakes are high, with over ,000,000 in cash and prizes available for those who can successfully exploit fully patched products across various categories.
According to the rules of Pwn2Own, all targeted devices must run the latest operating system versions, and participants are required to demonstrate arbitrary code execution to validate their exploits. Following the disclosure of any zero-day flaws during the competition, vendors are given a 90-day window to release necessary security fixes, ensuring that the cybersecurity landscape remains vigilant and responsive.
Last year, the TrendMicro Zero Day Initiative awarded a staggering ,078,750 for 29 zero-day vulnerabilities, emphasizing the ongoing need for robust security measures in an increasingly digital world.
