The automotive cybersecurity landscape is set to experience another intense shake-up as the Zero Day Initiative (ZDI), a program of Trend Micro, prepares for the return of its high-stakes vulnerability research challenge. The Pwn2Own Automotive 2026 competition will take place in January at Japan’s Automotive World event in Tokyo, and its impressive $3 million+ prize pool has already turned heads in the infosec community.
This year’s edition expands the attack surface, with six specialized categories covering everything from Tesla vehicles and EV chargers to core automotive operating systems. The yearly competition has evolved into a critical proving ground, forcing automotive manufacturers to confront rapidly evolving cyber threats—and offering researchers significant incentives to help them do it.
Tesla, Infotainment, and Chargers Top the Prize List
High-value categories reflect the industry’s most sensitive system components.
Pwn2Own Automotive 2026 is structured around six targeted categories, with payouts designed to reflect a mix of impact, difficulty, and novelty. Tesla vehicles continue to offer the most lucrative exploits, underscoring the focus on high-stakes automotive threats such as autonomous driving systems and vehicle network control.
Tesla Vehicle Exploits Could Earn up to $500,000
Tesla remains the marquee target of the event. Sixteen prizes—seven of which include a Tesla vehicle—are up for grabs for exploits against its various systems. Key Tesla-related bounties include:
- $500,000 for achieving unconfined root access in a Tesla Autopilot system.
- $400,000 plus a Tesla vehicle for achieving full remote control over Autopilot without root access.
- $400,000 plus a Tesla vehicle for compromising any electronic control unit (ECU) and controlling Controller Area Network (CAN) bus communication.
Add-on prizes include:
- $100,000 for arbitrary control over a vehicle’s CAN bus.
- $50,000 each for persistent root access on the infotainment or autopilot systems.
This prize structure highlights how seriously threats to Tesla’s embedded systems and semi-autonomous features are being taken by both manufacturers and researchers.
Infotainment Systems and Automotive OSes Also in the Spotlight
Consumer-facing and back-end components round out the rest of the target surfaces:
- In-Vehicle Infotainment (IVI) Systems : Up to $20,000 is offered for exploits affecting these critical media and control hubs, which interface deeply with vehicle sensors and the CAN bus.
- Automotive Operating Systems : Researchers can target BlackBerry QNX, Android Automotive, and Automotive Grade Linux, with rewards up to $60,000 for successful vulnerabilities.
These systems present opportunities to escalate privileges, move laterally through vehicle subsystems, or interfere with real-time driving data processing.
EV Charging Infrastructure Introduces Expanded Surface Area
With the increasing adoption of electric vehicles, EV chargers are becoming frontline cyber targets. Pwn2Own Automotive 2026 reflects this trend with two layers of charging-related challenges:
- Level 3 EV Chargers (Superchargers) : Prizes of up to $60,000 are available for targeting systems like the Aplitronic supercharger.
- Level 2 EV Chargers : Eight different models of connectors and wall boxes are in scope, with up to $40,000 per exploit.
- Open Charge Alliance Category : Debuting this year, this category focuses on attacks against the Open Charge Point Protocol (OCPP), the standard for charging station communication. Successful exploits net $15,000.
By including both the hardware interface and the protocol layer, organizers are acknowledging the full-stack risk of EV infrastructure vulnerabilities.
Previous Competitions Uncovered Dozens of Zero-Days
Historical data shows recurring high exploit yield, with top teams earning hundreds of thousands.
Looking at previous competitions illustrates just how prolific this event has become for discovering real-world, zero-day vulnerabilities.
Pwn2Own Automotive 2025
The 2025 edition delivered 49 zero-day exploits and $886,250 in payouts. Standouts included:
- Day 1 : 16 zero-days and $382,750 in bounties.
- Day 2 : 23 zero-days, including two Tesla charger exploits, accounting for $335,500.
- Day 3 : 10 zero-days and $168,000 in awards.
Sina Kheirkhah of Summoning Team captured the “Master of Pwn” title for his performance, collecting $222,250 in prizes.
Pwn2Own Automotive 2024
The inaugural competition set the framework, awarding $1.3 million across 49 zero-day discoveries. Critical vulnerabilities were uncovered across Tesla systems, IVI platforms, and a broad range of EV charging stations. Team Synacktiv secured the top prize slot, winning $450,000.
Competition Fuels Responsible Disclosure in a High-Risk Sector
Automotive cybersecurity events offer essential testing grounds to harden connected vehicle ecosystems.
As software-defined vehicles become the norm, the attack surface exposed by networked ECUs, cloud-integrated infotainment features, and remote diagnostics continues to expand. Pwn2Own Automotive provides a rare, controlled environment for rigorous offensive research—while ensuring that vendors are informed of findings through responsible disclosure flows.
More importantly, this model gives manufacturers opportunity and obligation to patch before wide-scale threat exploitation. Coordinated vulnerability disclosure is especially vital in automotive security, where a single flaw in an ECU, infotainment system, or CAN bus logic could have life-threatening implications.
Looking Ahead to January in Tokyo
With more attack categories than ever and payouts surpassing $3 million, the 2026 event will likely set new benchmarks in vulnerability research volume and criticality. As with past years, the “Master of Pwn” title will once again go to the individual or team whose exploits earn the most points across categories.
For security researchers, engineers, and automotive CISOs, the competition offers a rare look at emerging weaknesses that may still exist in production vehicles and infrastructure.
Pwn2Own Automotive 2026 is more than a contest—it’s a barometer of how well the auto industry is keeping pace with its cybersecurity responsibilities.
