Security researchers collected $1,298,250 after exploiting 47 zero-day flaws at Pwn2Own Berlin 2026, a hacking contest held at OffensiveCon in Berlin from May 14 to May 16 that focused on enterprise technologies and artificial intelligence.
KEY FACTS
- Total rewards $1,298,250 for 47 zero-day flaws
- Timeline The contest ran for three days at OffensiveCon
- Top team DEVCORE won with 50.5 Master of Pwn points and $505,000
- Largest bounty $200,000 for a Microsoft Exchange exploit chain
The competition targeted fully patched products across web browsers, enterprise applications, local privilege escalation, servers, local inference, cloud-native and container environments, virtualization, and LLM categories. Researchers earned $523,000 on the first day for 24 unique zero-days, $385,750 on the second day for 15 zero-days, and $389,500 on the third day for eight more.
DEVCORE finished ahead of STARLabs SG and Out Of Bounds. Cheng-Da Tsai, also known as Orange Tsai, won the top prize after chaining three bugs to gain remote code execution with SYSTEM privileges on Microsoft Exchange, while other awards went to exploits against Microsoft Edge, Windows 11, Red Hat Linux for Workstations, NVIDIA Container Toolkit, Microsoft Exchange, and VMware ESXi.
After the contest, vendors have 90 days to release patches before the Zero Day Initiative publicly discloses the flaws. Last year’s Pwn2Own Berlin paid out $1,078,750 for 29 zero-day flaws and bug collisions.
WHY IT MATTERS
The results show how much value vulnerability research can uncover in widely used enterprise and AI software. The 90-day patch window gives vendors time to fix the issues before public disclosure, but it also leaves a limited period for organizations to assess exposure and apply updates.