The world’s most prestigious hacking contest just ran into a problem it didn’t see coming: too many hackers, too many working exploits, and not enough room for either.
Pwn2Own Berlin 2026 opened Thursday with four confirmed exploits and $285,000 paid out on Day One. But before a single researcher stepped onto the stage at OffensiveCon, the Zero Day Initiative had already turned away researchers carrying working zero-day chains — for the first time in the program’s 19-year history. Some of those researchers are now releasing their findings publicly.
Dustin Childs, head of threat awareness for the TrendAI Zero Day Initiative program, confirmed the situation to Security Point Break on Thursday. “We knew the AI targets were going to generate a lot of entries, and we thought our initial plans would be sufficient,” Childs said. “We were clearly incorrect about the rate of late entries.”
The Number That Explains Everything
ZDI program submissions have increased 450% year-over-year. Childs confirmed the surge is a direct consequence of researchers using AI tools to find vulnerabilities and generate the contest documentation required to register. In the 72 hours before registration closed on May 7, ZDI received close to 100 entries — a volume its fixed three-day schedule, finite live attempt slots, and in-person validation process simply couldn’t absorb.
“The increased number of entries this year is the direct result of researchers using AI tools to both find bugs and create the documentation needed to register for the contest,” Childs told SPB.
A Firefox Zero-Day That Broke the Contest From the Outside
The most concrete consequence of the overflow hit Firefox. Researcher ggwhyp, rejected from the contest, posted publicly on X: “I was hoping to compete in Pwn2Own with a Firefox full-chain entry, but unfortunately it was rejected. I’ve reported the vulnerability to the Mozilla team.”
That disclosure — the responsible move on ggwhyp’s part — had immediate collateral damage inside the competition. Childs confirmed it on record: “The fix for this bug ended up knocking out other Firefox entries from the competition.”
In other words: a rejected researcher did the right thing, Mozilla patched, and accepted contestants lost their entries. No payout, no stage time, no recourse.
The ggwhyp proof-of-concept — a full-chain browser-to-OS exploit for Firefox on Windows — has been described by multiple security outlets as a working attack that launches arbitrary code execution from a simple HTML page. Security researcher Rod Trent covered it independently, calling it “a complete browser-to-OS exploit chain for Firefox on Windows” that “demonstrates a reliable full-chain attack.”
SPB reached out to Mozilla for comment on patch status. Mozilla had not responded at time of publication. Firefox users on Windows should monitor Mozilla’s security advisories until a fix is confirmed.
UPDATE Mozilla Responds
Mozilla confirmed to Security Point Break that Firefox 150.0.3, which shipped earlier this week, addresses the vulnerabilities disclosed by ggwhyp.
“Mozilla can confirm receipt of vulnerability reports from researcher ggwhyp related to Firefox on Windows,” a Mozilla spokesperson told SPB. “The issues were responsibly disclosed to us and addressed in Firefox 150.0.3, which shipped earlier this week.”
Mozilla’s full advisory here.
On the question of active exploitation, Mozilla said it has seen no evidence of attacks in the wild. “At this point, we’re not aware of any active exploitation of these vulnerabilities in the wild.”
Mozilla also clarified the current state of the proof-of-concept: “We are aware of the public discussion and demonstration videos circulating around this research, but to our knowledge, proof-of-concept exploit code has not been publicly released.”
If you’re running Firefox on Windows: update to 150.0.3 now. Check your version under Help → About Firefox. The update should be available automatically.
What’s Happening Off-Stage
Community tracking reported by AwesomeAgents.ai – which SPB has not independently verified – puts the count of rejected researchers above 150, with named individuals publicly disclosing working exploit chains across Firefox, NVIDIA, AI inference stacks, and Linux infrastructure. One group, xchglabs, reportedly had 86 vulnerabilities prepared across PyTorch, NVIDIA, Docker, Ollama, and LiteLLM — all rejected, all now being reported directly to vendors. Researcher desckimh reportedly held working RCEs in both Ollama and LM Studio.
ZDI encouraged all affected researchers to route findings through proper channels. “We continue to encourage all researchers to coordinate with TrendAI and appropriate vendors,” Childs said. “We encourage researchers who were unable to register for the contest to disclose their bugs either directly to the affected vendor or through the regular ZDI program.”
Bottom line on the security risk: this is responsible disclosure, not a threat actor dumping exploits. Researchers are going to vendors. But the gap between a public PoC and an unconfirmed patch is real, and the Firefox situation proves it can cause collateral damage even when everyone is doing the right thing.
What Happened on Stage
Day One delivered. Orange Tsai of DEVCORE Research Team chained four logic bugs to escape Microsoft Edge’s sandbox, earning $175,000 — the day’s biggest single prize. IBM X-Force’s chompie exploited NVIDIA’s NV Container Toolkit for $50,000. Researcher k3vg3n chained SSRF and code injection to take down LiteLLM — a widely deployed AI proxy layer used in enterprise environments — for $40,000. Satoki Tsuji of Ikotas Labs exploited NVIDIA Megatron Bridge for $20,000.
Two attempts failed: Viettel Cyber Security’s Le Duc Anh Vu couldn’t get an OpenAI Codex exploit running in time, and Park Jae Min’s attempt against Oracle Autonomous AI Database came up short.
Satoki Tsuji — who secured a slot and competed on Day One — had already read the room. Before the competition opened, he posted on X (translated from Japanese): “AI causes mass discovery of 0-day RCEs. Applications flood in beyond organizer capacity. Many participants rejected. Hackers with 0-day RCEs are released into the wild. Revenge vulnerability disclosures begin.”
ZDI’s Fix: Fight AI With AI
ZDI isn’t absorbing the volume manually. Childs said the program has deployed agentic AI to triage the surge. “We are using agentic AI to help triage cases and filter poor quality submissions as they are detected. This means that an analyst is looking at 20 cases instead of 1,000.”
He also pushed back on the idea that volume means lower quality. “This also shows advanced researchers are still finding bugs missed by AI code reviews.” The 450% increase isn’t noise — it includes elite chains that ZDI simply didn’t have room to stage.
A post-mortem is coming. “We’re always looking for new methods to demonstrate the top level of offensive research through the contest and will post-mortem this event to determine how best to improve,” Childs said.
What’s Still on the Table
The competition runs through Saturday. Day Two — underway now — includes Orange Tsai targeting Microsoft Exchange for up to $200,000, Rapid7’s Stephen Fewer going after Microsoft SharePoint for $100,000, and two separate attempts against Anthropic Claude Code. Day Three Saturday includes additional Claude Code attempts and two teams targeting VMware ESXi for up to $200,000 each.
The Bigger Picture
The contest added AI coding agents as targets because they’ve become critical infrastructure. The researchers trying to break them used AI to get there faster. The contest ran out of room for both — and now has a 450% submission problem that isn’t going away.
“We continue to see an increase in submissions to Pwn2Own year after year, and with the assistance of AI, we don’t expect it to slow down anytime soon,” Childs said.
The pipeline is moving faster than the institutions built to manage it. ZDI knows it. The researchers know it. Now everyone does.
SPB will update this article as Day Two and Day Three results are published.
