Pwn2Own Berlin 2026: $1.3M Paid for 47 Zero-Days, DEVCORE Sweeps Master of Pwn

Photo by Daniel Mathew on Unsplash

DEVCORE walked out of Pwn2Own Berlin 2026 with $505,000 and the Master of Pwn title after breaking Microsoft SharePoint, Exchange, Edge, and Windows over three days at OffensiveCon. The Taiwanese team's run accounted for nearly 40 percent of the contest's $1,298,250 total payout, which Trend Micro's Zero Day Initiative distributed across 47 unique zero-day vulnerabilities reported between May 14 and 16.

The 2026 edition is the first to include dedicated categories for AI coding agents and local inference engines, and researchers cleared the bar on the first try. OpenAI Codex, Claude Code, LM Studio, Ollama, Cursor, NVIDIA Megatron Bridge, and Chroma all fell to working exploits during the three-day event.

The numbers tell a sharper story than any single headline bug. Researcher supply is outrunning the prize pool, AI tools are priced like a curiosity, and the highest-value bounty on the board went home untouched.

DEVCORE's $505,000 Run Through Microsoft's Stack

The headline payout of the contest went to a Microsoft Exchange remote code execution that earned DEVCORE $200,000 with SYSTEM privileges, according to SecurityWeek. That single demonstration matched the maximum Exchange bounty ZDI advertised in March when it published the 31-target list and the pre-event prize pool of more than $1 million.

Orange Tsai then chained four logic bugs to escape the Microsoft Edge sandbox, a demonstration SecurityWeek values at $175,000. A separate two-bug chain from DEVCORE researcher splitline took down SharePoint for another $100,000 and 10 Master of Pwn points, CyberInsider reported.

The scoreboard was not close. STARLabs SG finished second with 25 points and $242,500, with Out Of Bounds third at 12.75 points and $95,750, per CyberInsider's recap. DEVCORE's 50.5 points were double the runner-up.

DEVCORE's chains also illustrated how Pwn2Own scoring rewards depth over breadth. Each successful demonstration of a higher-value target pays more points, and the team's decision to spend slots on Exchange and SharePoint rather than chase several smaller browser bugs is what produced the runaway score. STARLabs SG's second-place result came on the strength of a single $200,000 VMware ESX exploit, not a portfolio of smaller wins.

The broader Microsoft picture is worse than the individual payouts suggest. Four different DEVCORE submissions, plus separate work from Viettel Cyber Security and others, all targeted fully patched Microsoft products and succeeded. Redmond's defenders have 90 days from the contest end to ship fixes before Bleeping Computer's coverage of ZDI's disclosure clock becomes the start of public technical write-ups.

The Hyper-V Bounty Nobody Claimed

The most revealing number at Pwn2Own Berlin 2026 is one that was never paid: the $250,000 Hyper-V Client guest-to-host bounty ZDI listed in its target announcement. No team submitted a successful guest-to-host escape. That is the highest single bounty in the contest, and it sat untouched while researchers queued for VMware ESX and Microsoft Exchange instead.

Hyper-V's resilience matters because the same hypervisor underpins Azure tenant isolation and Windows 11's virtualization-based security. A working escape would have implications well beyond a developer laptop. The eight failed exploit attempts SecurityWeek catalogued included a second SharePoint try, a second Codex attempt, Safari, Firefox, Oracle Autonomous AI Database, NV Container Toolkit, a second Red Hat Enterprise Linux for Workstations try, and VMware ESX, but the empty Hyper-V slot is the more telling absence because nobody even attempted it within the contest window.

That does not mean Hyper-V is unbreakable. It means the economics of disclosure no longer favor burning a Hyper-V chain at Pwn2Own when private brokers and government buyers will pay multiples of $250,000 for the same capability. The contest's pricing schedule is starting to lag the gray market on the highest-value targets.

There is a secondary reading worth noting. A guest-to-host chain typically requires multiple primitives held in reserve over months, and burning one at a public contest means losing it for any future research project. The teams capable of producing such a chain are the same teams most likely to have downstream uses for it. ZDI's bounty structure asks researchers to make that trade in public, and the empty slot suggests the trade is not currently worth making.

The AI Tools That Fell on Day One

This was the first Pwn2Own where AI tools sat in the same bracket as browsers and hypervisors, and researchers treated them accordingly. Satoki Tsuji of Ikotas Labs exploited OpenAI Codex through an external control mechanism abuse for $20,000 and 4 Master of Pwn points.

The full AI casualty list, per SecurityWeek, paid $20,000 each for Codex, Claude Code, LM Studio, NVIDIA Megatron Bridge, and Chroma, while Cursor exploits ranged from $15,000 to $30,000 and Ollama earned $28,000 after a known CVE reduced the payout. Every AI coding agent on the target list was compromised. Only a second Codex attempt failed.

The payout structure is the story. A $20,000 bounty for breaking the same Codex that ships inside paid GitHub workflows and a $200,000 bounty for breaking Exchange tells you exactly how the market currently values exposure across an enterprise. That gap will not survive contact with the first real production incident, and the AI category prices at Pwn2Own Ireland in October are the number to watch.

The attack surface itself is also new in ways the bounties do not yet reflect. Coding agents read files, execute commands, and call external tools on a developer's behalf. An external control mechanism abuse of the kind Tsuji demonstrated against Codex is closer in shape to a server-side request forgery than to a traditional browser exploit, but the consequences fall on whatever credentials and source code the agent has access to. ZDI's original target announcement framed the Coding Agents and Local Inference categories as recognition that AI developer tools are an enterprise attack surface, and the Day 1 results confirmed the framing was correct. Readers tracking the broader picture can follow AnIntent's AI Safety coverage and Privacy & Security category for the disclosed CVEs as they land.

VMware, Linux, and the Windows 11 Pile-On

STARLabs SG took the virtualization crown with a $200,000 VMware ESX exploit that included the cross-tenant code execution add-on, SecurityWeek confirmed. That figure matches ZDI's pre-announced $150,000 base plus the $50,000 cross-tenant bonus from the target list.

Local privilege escalation submissions dominated the smaller payouts. Viettel Cyber Security researchers Le Tran Hai Tung, dungnm, and hieuvd used an integer overflow to escalate privileges on Windows 11 for $7,500, one of multiple zero-day exploits Windows 11 absorbed during the contest. Hyunwoo Kim chained a use-after-free with an uninitialized memory flaw to escalate on Red Hat Enterprise Linux for Workstations for $5,000.

Valentina Palmiotti of IBM X-Force Offensive Research had the strongest single day from an individual researcher. She earned $20,000 for root on Red Hat Linux for Workstations and another $50,000 for a zero-day in the NVIDIA Container Toolkit, totaling $70,000 on Day 1 alone.

Day totals from Bleeping Computer's tally tracked the volume: $523,000 across 24 zero-days on Day 1, $385,750 across 15 on Day 2, and $389,500 across 8 on Day 3. The contest paid more on Day 1 than the final day, but the third day's higher per-bug average reflects the harder targets researchers saved for the end.

The categorical breadth is what separates this year's contest from earlier ZDI events. Ten target categories produced successful exploits, covering web browsers, enterprise applications, LLM and coding agents, local inference, containers, NVIDIA hardware, and virtualization. No single product category dominated the bug count, which is unusual for Pwn2Own. In past years, browsers have typically produced the longest list of submissions. This time, enterprise applications and AI tools collectively outpaced the browser category.

The Disclosure Problem ZDI Has Not Solved

The 2026 contest broke its own model. ZDI ran out of contest time slots before registration closed on May 7, and multiple teams were turned away. Some of those rejected researchers then disclosed their exploits directly to vendors, bypassing the coordinated-disclosure structure that justifies Pwn2Own's existence.

That is a structural problem, not a scheduling one. The 47 zero-days that did get demonstrated are the visible portion of the supply. The exploits ZDI could not absorb went somewhere, either to vendors directly or, less charitably, into private holdings for a future contest or a different buyer. The five-day window between registration closing on May 7 and the contest opening on May 14, as ZDI's announcement post documents, is short enough that any team holding a working chain has limited time to redirect it.

The year-over-year math frames the demand. SecurityWeek's recap notes the 2025 Berlin event paid $1,078,750 for 29 zero-days, so 2026's $1,298,250 for 47 vulnerabilities is a 20.3 percent payout increase against a 62 percent jump in unique bugs. Researcher supply is growing faster than the prize pool, which is exactly the pressure that produces out-of-band disclosures.

The disclosure norm breakage has practical consequences. Pwn2Own's value to vendors comes from the 90-day patch window and the structured handoff of working exploit code through ZDI. When researchers go direct to vendors, those vendors get the bug without the standardized triage package, and the public timeline becomes whatever the vendor decides to publish. For a SharePoint or Exchange bug, that distinction matters because customers schedule patch cycles around predictable disclosure dates.

For context on the broader security tooling shift, AnIntent's tutorial on running a vulnerability scan with OpenAI Daybreak covers how some of the same AI coding agents now appearing as Pwn2Own targets are simultaneously being marketed as defensive products.

What to Watch Before August 14

The disclosure clock is the next deadline that matters. ZDI gives vendors 90 days after the contest closes to ship patches before technical details go public, which puts the cutoff at August 14, 2026. Microsoft's Patch Tuesday on August 12 is the most likely vehicle for the SharePoint, Exchange, Edge, and Windows fixes. If any of the DEVCORE chains slip past that date, the public disclosure that follows will detail working exploit code against fully patched configurations.

The AI category bounties at Pwn2Own Ireland later in 2026 are the second signal. If Codex, Claude Code, and Cursor stay at $20,000 to $30,000 after this round of disclosures, ZDI is telling the market that AI coding agent exposure is still priced like a niche category. If those numbers double, the contest is catching up to where the threat actually sits.

The third signal is whether ZDI expands the slot count for Ireland. The supply overflow in Berlin was a contained embarrassment because most rejected teams chose direct vendor disclosure rather than auction. A repeat in Ireland with the same constraints would push more researchers toward private channels, and at that point the public disclosure pipeline starts to thin in ways that are harder to reverse.