Hack2Win is a hacking competition we launched 5 years ago. So far it had two flavors - Hack2Win Online and Hack2Win CodeBlue.

We decided to go big this year with Hack2Win eXtreme! Hack2Win eXtreme will focus on two primary targets, browsers and mobile.
We have up to $500,000 USD to give away, the competition will take place during the beVX conference Hong Kong, on September 20-21, 2018.

Targets and prizes











Registration is free to all, not limited to conference attendees.
To participate in Hack2Win eXtreme please send the following information to ssd@beyondsecurity.com:
  • Name/Alias for public use
  • Contact name (will not be made public - optional)
  • Contact Information (will not be made public)
  • Category 
If you win the competition, we will ask you for the following information (it will not be made public):
  • Contact name
  • Address
  • Contact phone number
  • Contact Email
  • Payment information (wire transfer info, paypal or address for mailing a check)


Competition Period

The competition will be held September 20-21 2018 during the beVX conference in Hong Kong



Beyond Security is offering cash and prizes during the competition for vulnerabilities and exploitation techniques against the listed targets in the below categories.

If more than one contestant registers for a given category, the order of the contestants will be drawn at random.

Based on the participation order, the first contestant will be given an opportunity to attempt to compromise the selected target. If unsuccessful, the next randomly drawn contestant will be given an opportunity, and so on. This will continue until a contestant successfully compromises the target.

The first contestant to successfully compromise a selected target will win the prize money for that target in that category.

After a target has been compromised, the contest for that category will be over. Beyond Security may decide to continue the contest and offer an additional prize for that target, in which case this would be announced at the conference.

All prizes are in USD.



  • Browsers
  • Mobile


Targets Devices

  • Android
    • Pixel 2 and Galaxy S8 w/ latest available Android and security patch(vuln should preferably work on both devices)
  • iOS
    • iPhone X w/ latest iOS
  • Firefox RCE and Info Leak
    • Latest Firefox on latest Windows 10
  • Chrome RCE and SBE
    • Latest Chrome on latest Windows 10
  • Chrome SBE (Android/ Android Prize)
    • Latest Chrome on Pixel 2 and Galaxy S8 w/ latest available Android and security patch (vulnerability should preferably work on both devices)

Prizes per target


  • Firefox
    • Infoleak - 30,000$
    • Remote Code Execution - 60,000$
  • Chrome
    • Sandbox Escape Windows - 80,000$
    • Sandbox Escape Android - 100,000$
    • Remote Code Execution - 80,000$


  • Android
    • Privilege Escalation - 80,000$
    • Infoleak - 30,000$
  • iOS 
    • Privilege Escalation - 80,000$


Chrome Information Leak

A vulnerability would be regarded as an Information Leak if a code that leaks the full address of the following to a javascript variable:

  • Native thread stack
  • An address within xul.dll
  • The address of a heap allocation with fully controlled data

Lesser rewards may be awarded for leaks of address of other memory objects.


Device Settings

The targets will be running on the latest, fully patched version of the operating system available on the selected target.

All targets will be installed in their default configurations.

The vulnerabilities utilized in the attack must be unknown, unpublished, and not previously reported to the vendor.

A given vulnerability may only be used once across all categories.


Winner selection

Upon successful demonstration of the exploit, the contestant will provide a fully functioning exploit plus a whitepaper explaining the vulnerabilities and exploitation techniques used in the attack. Beyond Security will then determine whether the exploit meets the above rules. Beyond Security may choose to accept the entry(ies) but offer a prize at a value less than the initial prize offering for a given category if it decides that part of the exploit chain fails to meet the above rules.

A short white paper including details about all of the vulnerabilities (memory corruption, infoleaks, escalations, etc.) leveraged and the sequence in which they are used must be provided to receive the prizes.

Vulnerabilities and exploit techniques revealed by contest winners will be disclosed to the affected vendors and the exploits and whitepapers will be the property of Beyond Security. The original finder of the vulnerability will receive credit for the vulnerabilities, the whitepaper and the disclosure.

NOTE: Beyond Security reserves the right to solely determine what constitutes a successful attack.


Who Can Apply

The Hack2Win eXtreme is open for registration to anyone who is 18 years of age or older at the time of registration - excluding anyone working for one of the vendors whose equipment is used in the contest or is involved in development of the devices used in the contest. Also excluded are Beyond Security employees and any of its affiliates.

Applicants may apply individually or as a team. All applications must contain valid, true, complete and accurate information.

Beyond Security reserves the right to disqualify any applicant and/or application, at its sole discretion, if untruthful information is submitted.

Beyond Security reserves the right to request further information from the Participant, as may be required in order to evaluate their ability to perform the required tasks at the Competition (this request may include the evidencing of formal identity documents)



2018/Feb - Added new target and prize

2018/Apr - Clarified the SBE targets (added Windows where no OS was written before). Added explanation on Chrome Information Leak