SECURITY researchers were awarded close to $1.3m after discovering 47 zero-day vulnerabilities at Pwn2Own Berlin, which ran for three days from 14 to 16 May and was sponsored by TrendAI’s Zero Day Initiative (ZDI). The Devcore team won the event, claiming a massive $505,000 in prize money. This edition had an enterprise focus, with AI databases, coding agents, local inferences and NVIDIA products all targeted by competing teams.
Among the highlights, Nguyen Hoang Thach of STARLabs SG earned $200,000 for a memory corruption bug that exploited VMware ESXi, while Orange Tsai of Devcore Research Team earned $200,000 for remote code execution as system on Microsoft Exchange and $175,000 for a sandbox escape on Microsoft Edge; “splitline” of Devcore scored $100,000 for chaining two bugs to exploit Microsoft SharePoint.
According to Infosecurity Magazine, newly discovered vulnerabilities will be responsibly disclosed to relevant vendors with a 90-day window to release security patches before ZDI publicly discloses them, and the event notes the 47 zero-days were identified at Pwn2Own Berlin 2026.