The Tianfu Cup 2019 International Cyber ​​Security Competition has started, in two days white hat hackers will attempt to exploit flaws in major software.

The Tianfu Cup 2019 International Cyber ​​Security Competition has started, white hat hackers will attempt to devise working zero-day exploits for popular software.

Each working exploit receives a cash prize and points that are assigned to the team that devised it, like the popular Pwn2Own hacking contest.

Chinese white hat hackers have a long story of success, they won several international hacking contests in the past, but in 2018 the Chinese government prohibited Chinese experts in participating this kind of competition abroad.

Since the decision of the Chinese Government, the TianfuCup was set up for the first time in the fall of 2018. Last year, white hat hackers earned more than $1 million for zero-day exploits disclosed at the Tianfu Cup PWN competition.

According to the organizers , in 2018 hackers earned $1,024,000 for a total of 30 vulnerabilities. Most of the amount of money, $620,000, was paid to a team from cybersecurity firm Qihoo 360. Other participants were teams from universities, Tencent, financial service provider Ant Financial, and independent researchers.

During the Day1 of the Tianfu Cup 2019 contest 13 hacking attempts out of a total of 32 were successful, 13 attempts failed and in 12 cases the researchers abandoned the attempts.

Below the list of successful attempts:

Researchers from the ddd @ExpSky and 360vulcan @mj0011sec teams achieved remote code execution and sandbox escape on the version of Microsoft Edge based on the EdgeHTML engine. Each exploit was paid $55,000, the team . ( dot ) get $10,000 with RCE.

Congrats! All the three Edge exploits are confirmed to be success! Teams ddd @ExpSky and 360vulcan @mj0011sec both achieved RCE + sandbox escape, so each earned $55,000. Team .(dot) get $10,000 with RCE. — TianfuCup (@TianfuCup) November 16, 2019

The Team 0x34567a61 (@Xbalien29, @leonwxqian) and Team ddd @ExpSky earned $20,000 for two Chrome exploits.

Exploit against #Chrome are verified to be effective. Team 0x34567a61 @Xbalien29 @leonwxqian and Team ddd @ExpSky got $20,000 in their pockets, respectively. Congrats! — TianfuCup (@TianfuCup) November 16, 2019

Researcher @ codecolorist got a partially successful entry on Safari and earned $30,000.

StackLeader @codecolorist was just verified to get a partially successful entry on #Safari. They earned a bonus of $30,000. — TianfuCup (@TianfuCup) November 16, 2019

The teams HAC, team StackLeader (@yuzhou6666 , @ppdonow) and team NoTrace Security Lab @NoTrace24657171 successfully hacked DLink DIR-878.

Three teams HAC, team StackLeader @yuzhou6666 @ppdonow and team NoTrace Security Lab @NoTrace24657171 controlled #DLink DIR-878 successfully. There will be several other teams working on this target tomorrow. Let’s wait for the bonus result tomorrow. — TianfuCup (@TianfuCup) November 16, 2019

360Vulcan @guhe120 controlled Office365 by downloading an RTF document via Edge. It partially bypassed the #ProtectionView to gain control. The researcher received a bonus of $40,000.

The researchers from Bit- STARLabs @PTDuy and StackLeader @0x140ce@Jdddong@ppdonow achieved RCE on Adobe PDF Reader.

The researcher 360Vulcan @Xiaowei__ received the highest bounty in a single exploit in Day1, he devised an exploit on Ubuntu + #qemu- and achieved partial control of the host. He received a bonus of $80,000.

The exploit on Ubuntu + #qemu-kvm achieved partially control of the host. A bonus of $80,000 was won by 360Vulcan @Xiaowei__ being the highest bounty for a single exploit in Day 1 #TFC. — TianfuCup (@TianfuCup) November 16, 2019

Let’s wait for new success attempts for Day2.

Pierluigi Paganini