Hack2Win is a hacking competition we launched in 2013. Up until 2017 it had two flavors – Hack2Win Online and Hack2Win CodeBlue.

In 2018, we decided to go big with Hack2Win eXtreme, which focused on two primary targets: browsers and mobile. The winners of
Hack2Win eXtreme received prizes worth up to $500,000 USD!

Targets and prizes


Prizes per target


  • Firefox
    • Infoleak – 30,000$
    • Remote Code Execution – 60,000$
  • Chrome
    • Sandbox Escape Windows – 80,000$
    • Sandbox Escape Android – 100,000$
    • Remote Code Execution – 80,000$


  • Android
    • Privilege Escalation – 80,000$
    • Infoleak – 30,000$
  • iOS 
    • Privilege Escalation – 80,000$

Firefox Information Leak

A vulnerability would be regarded as an Information Leak if a code that leaks the full address of one of the following to a javascript variable:

  • Native thread stack
  • An address within xul.dll
  • The address of a heap allocation with fully controlled data

Lesser rewards may be awarded for leaks of address of other memory objects.

Integrity Level

For RCE vulnerabilities, executed code should run at the integrity level of the renderer process (‘Tab’) or higher. 

Device Settings

  • The targets will be running on the latest, fully patched version of the operating system available on the selected target.
  • All targets will be installed in their default configurations.
  • The vulnerabilities utilized in the attack must be unknown, unpublished, and not previously reported to the vendor.
  • A given vulnerability may only be used once across all categories.

Remote Code Execution without Sandbox Escape

  • To provide a testing environment for this vulnerability, Chrome will be launched without the Sandbox feature chrome.exe –no-sandbox.
  • The URL of the researcher will be accessed – this URL needs to be reachable to the phone by having your laptop of USB key contain a payload that will be served by a web server (yours or provided by us).
  • Code will be executed due to the access of this URL.
  • This will be the only interaction allowed with Chrome (the URL placement and opening of it), any additional popup or question presented to the user will not be considered as RCE and will be considered a social engineering vulnerability and will not qualify as an RCE.

Remote Code Execution

  • Code execution would be considered as one when its arbitrary shell code execution.
  • The shell code should in assembly (either native or compiled code stored as assembly instructions).
  • The shell code should be running without any character, opcode, length or other restrictions. If any such restrictions exist, this should be noted during the demonstration of the code execution. The preferred shell code execution outcome would be popping of calc triggered by launching the executable.