TAIPEI, May 20, 2026 /PRNewswire/ — Pwn2Own Berlin 2026, the world’s premier vulnerability research competition, concluded on May 16 after three days of intense competition. Amid a new wave of AI-driven vulnerability discovery and fierce contention among the world’s top white-hat hackers, Taiwan-based offensive cybersecurity company DEVCORE delivered a landmark performance. Its research team uncovered vulnerabilities across four of Microsoft’s flagship products, securing the global championship with 50.5 total points, more than double the runner-up’s score, and earning the coveted Master of Pwn title.
Led by Principal Security Researcher Orange Tsai, the DEVCORE Research Team finished the competition with 50.5 total points
Sweeping Four Microsoft Product Lines: DEVCORE Takes the Pwn2Own Berlin Crown
Led by Principal Security Researcher Orange Tsai, the DEVCORE Research Team finished the competition with 50.5 total points, taking home $505,000 USD in total prize money along with the Master of Pwn title. Throughout the event, the team successfully exploited Microsoft Edge, Exchange, Windows 11, and SharePoint in succession. DEVCORE was the only team to land a successful exploit in the Browser category, and remains the only team ever to successfully exploit critical vulnerabilities in Microsoft Exchange Server twice at Pwn2Own, with their first win in 2021. The team’s Exchange research also earned the highest single-target prize of the entire event.
Orange Tsai, who led the team at this year’s competition, commented: “It’s an honor to bring this recognition home to Taiwan at Pwn2Own, showcasing the cybersecurity research capabilities of both Taiwan and DEVCORE to the world while contributing to global cybersecurity. Looking ahead, this research momentum will fuel our Offensive Product Security Research (OPSR) service, identifying high-risk attack surfaces and weaknesses in products from an attacker’s perspective, validating ‘exploitable attack paths’ and ‘real business impact,’ and helping enterprises deepen their product security.”
Synergy with AI: Acceleration Meets Researcher Insight as the Decisive Edge
As generative AI models demonstrate increasingly powerful vulnerability discovery and offensive capabilities, Pwn2Own, the highest stage for white-hat hackers, embraced the AI trend this year by including multiple AI models as research targets for the first time. Meanwhile, the surge in AI-assisted vulnerability hunting has reshaped the wider research landscape. Zero Day Initiative (ZDI), the competition organizer, noted in its monthly security reports that the rise of AI models has significantly increased the overall volume of vulnerability disclosures. [1]
The DEVCORE Research Team also leveraged AI in this year’s competition to accelerate intermediate workflows such as code analysis and PoC verification for selected research targets. Notably, the Exchange vulnerability that took the event’s highest single-target prize was uncovered in just one week, built on Orange Tsai’s years of deep research insight into Exchange, with AI as a supporting tool, culminating in a Remote Code Execution (RCE) vulnerability.
In contrast, the 17.5-point Edge browser exploit was achieved entirely through manual research, without any AI assistance. The team chained four logic bugs together to accomplish a sandbox escape, an attack pattern ZDI described as unprecedented. The severity of the finding prompted Microsoft to release a patch within 24 hours of disclosure.
Tsai added: “AI tools offer tremendous assistance, but when every hacker worldwide is using AI to hunt for vulnerabilities, it’s easy to end up discovering the same bugs as other teams. Our edge comes from focusing on unconventional vulnerability classes or high-difficulty targets that no one else attempts, combined with the deep low-level expertise and experience of our researchers. AI has fundamentally reshaped the white-hat hacker’s workflow and working hours, but at this stage, finding truly high-value vulnerabilities still requires skilled researchers to guide AI toward the right direction.”
|
[1] The May 2026 Security Update Review: https://www.zerodayinitiative.com/blog/2026/5/12/the-may-2026-security-update-review |
About Pwn2Own
Operated by TrendAI’s Zero Day Initiative (ZDI) bug bounty program, Pwn2Own is the world’s most prestigious and highest-paying hacking competition. Each year, it invites top cybersecurity researchers and white hat hackers from around the globe to uncover zero-day vulnerabilities across a wide range of software products from major international vendors, with the goal of gaining control over diverse products and services. Pwn2Own stands as the premier global stage where elite white hat hackers compete at the highest level. Visit ZDI at: https://www.zerodayinitiative.com/
About DEVCORE
Founded by a world-class team of white hat hackers, DEVCORE provides Red Team Assessment, Penetration Testing, Offensive Product Security Research, Security Consulting, and Security Training services. Guided by the principles of high morality, strong self-discipline, and rigorous execution, the team delivers industry-leading offensive security services that put enterprise defenses to a real-world test and strengthen overall security posture. By placing offense ahead of defense, DEVCORE helps enterprises elevate their security awareness and stay ahead of ever-evolving attack patterns. Visit DEVCORE at: https://devco.re/en/
