First-of-its-kind Cloud Hacking Competition

Join the world's top researchers in a competition to find zero-day vulnerabilities in core open-source software powering the cloud. Put your skills to the test, win huge prizes from our $5M prize pool, and help make the cloud a safer place.

Submit your exploit by

Days

Hours

Min

Sec

Sunday, December 1, 2025

In Partnership With:

How it works

Pick your targets

Research to find critical vulnerabilities in the open-source software that powers the cloud, and submit your entry by Dec 1

Demonstrate your exploit

Accepted submissions will be invited to demonstrate their exploit, live on stage, in London on Dec 10-11

Claim your prize

Successful exploit demonstrations will win generous payouts and be responsibly disclosed to relevant vendors

For more information check out our contest rules and FAQ

If you already use HackerOne, please ensure your ID verification, Tax Forms, and payment preferences are completed by November 20th.

If you are new to HackerOne and cannot complete ID verification yet, simply register on their platform, then submit your entry via our website, providing your HackerOne handle. We will then work with HackerOne to initiate the ID verification process for you.

Time & Place

100% FREE ACCESS

No paid Black Hat ticket required. Register for your complimentary Business Hall pass to attend.

Get Your Free Pass →

ExCeL, London, UK | December 10-11, 2025

Targets & Payouts

Submitted exploits should result in total compromise of the target, meaning a 0-click unauthenticated Remote Code Execution (RCE) vulnerability, unless specified otherwise. For detailed setup information, see our official GitHub repository.

View Target Configurations on GitHub

– AI –

Ollama

Runs consumer AI models in the cloud.

$40,000

vLLM

Powers fast LLM endpoints in the cloud.

$40,000

NVIDIA Container Toolkit

Enables GPU access for containerized cloud workloads.

$40,000

Container escape

– Kubernetes & Cloud-Native –

Kubelet Server

Manages Pods on each Kubernetes Node.

$40,000

K8s API Server

The central control plane for Kubernetes clusters.

$80,000

Grafana

The unified observability dashboard for Kubernetes.

$10,000

Authenticated RCE

$40,000

Unauthenticated RCE (pre-auth)

Fluent Bit

The lightweight standard for log aggregation across clusters.

$20,000

Prometheus

The cloud-native standard for metrics and alerting.

$40,000

– Containers & Virtualization –

Exploits in this section should result in a full Container/VM Escape. This will be tested by executing a predefined binary located on the host machine.

Docker

The industry standard for running containers.

$40,000

User-provided image

$60,000

Arbitrary image

Containerd

The core container runtime in Kubernetes.

$40,000

User-provided image

$60,000

Arbitrary image

Linux Kernel

The OS powering most cloud VMs.

$40,000

Container escape on Ubuntu host

– Web servers –

Envoy

Manages microservice traffic in service mesh environments.

$50,000

Caddy

Popular Go server for cloud apps.

$50,000

Tomcat

Runs enterprise Java applications in the cloud.

$100,000

Nginx

The industry standard for web serving, reverse proxying, and ingress.

$300,000

– Databases –

Redis

Provides high-speed caching for cloud apps.

$30,000

Authenticated RCE

$100,000

Unauthenticated RCE (pre-auth)

PostgreSQL

Provides high-speed caching for cloud apps.

$30,000

Authenticated RCE

$100,000

Unauthenticated RCE (pre-auth)

MariaDB

Popular managed database engine.

$30,000

Authenticated RCE

$100,000

Unauthenticated RCE (pre-auth)

– DevOps & Automation –

Apache Airflow

Schedules cloud data workflows.

$60,000

Jenkins

Automates cloud app deployments.

$60,000

GitLab CE

Popular DevOps platform.

$30,000

Authenticated RCE

$60,000

Unauthenticated RCE (pre-auth)

Invitation to a closed research conference

Participate for a chance to get invited to a closed research conference mid-2026

Stylish exploits are much appreciated - be creative and surprise us!

Frequently Asked Questions

Anyone over the age of majority in their country/state of residence can participate. Teams of 2–5 members or individual participants may enter. Employees of Wiz, its affiliates, and partner companies (AWS, GCP, Azure) cannot participate. Participants cannot be residents of embargoed or sanctioned countries (e.g., Russia, China, Iran, North Korea, Cuba, Sudan, Syria, Libya, Lebanon, or restricted regions like Crimea, Donetsk, etc.). If competing as part of a company, only one individual or one team can represent that company, and you must have proper authorization from your employer to register and bind the company to the contest rules. For complete eligibility requirements, please review the full contest rules.

First-of-its-kind Cloud Hacking Competition

In Partnership With:

How it works

Pick your targets

Demonstrate your exploit

Claim your prize

Time & Place

Targets & Payouts

Ollama

vLLM

NVIDIA Container Toolkit

Kubelet Server

K8s API Server

Grafana

Fluent Bit

Prometheus

Docker

Containerd

Linux Kernel

Envoy

Caddy

Tomcat

Nginx

Redis

PostgreSQL

MariaDB

Apache Airflow

Jenkins

GitLab CE

Frequently Asked Questions

Who can participate in the contest?

How do I register?

What are the entry limits?

What counts as a valid exploit?

What happens after a successful demonstration on stage?

Can I publish the vulnerabilities I find?

Who will see the vulnerability details I submit?

What costs are covered?

Can I participate remotely?

Do I need a paid Black Hat ticket to attend?

How are bounties awarded? Can multiple teams win for the same target?

Ready to demonstrate your exploit on stage?