It has not been a great week for Microsoft, what with an angry hacker dropping two zero-day exploits on the same day the official Patch Tuesday vulnerability-fixing rollout went live. So, you might think that the news of no less than three Microsoft Windows 11 zero-day exploits being demonstrated by hackers on the same day is just a continuation of the bad security vibe. But you would be wrong; this is, in fact, good news. The exploits took place at the annual Pwn2Own elite hacking event in Berlin, and full details of the vulnerabilities underlying the exploits, along with the technical nature of the exploit code itself, will be handed over to Microsoft, which will then have 90 days to provide a fix before any details are made public.

Microsoft Windows 11 Gets Triple-Hacked At Pwn2Own Berlin

I have said it before, and will continue to do so until I am quite blue in the face: hacking is not a crime , criminal hacking is. Vulnerability rewards programs, or bug bounties, have become a hugely popular and lucrative option for hackers looking to make money while helping both vendors and the public stay safe. This kind of perfectly legal hacking into hardware and software with the vendor’s blessing is exemplified by the gathering of some of the best hackers on the planet for the Pwn2Own event in Berlin, which started May 14, and is organized by Trend Micro’s Zero Day Initiative .

Previous Pwn2Own events have seen the Samsung Galaxy S25 exploited by the zero-day hackers, and Meta offer a staggering $1 million reward for a WhatsApp 0-click exploit. In Berlin, however, the hackers who compete against each other to exploit previously unknown vulnerabilities have had great success when it comes to Microsoft Windows 11.

Dustin Childs, the head of threat awareness for the Zero Day Initiative at Trend Micro, has confirmed that the following hackers all managed to execute successful zero-day exploits against Microsoft’s newest and most secure operating system.

  • Angelboy and TwinkleStar03 from the DEVCORE Research Team used an Improper Access Control bug to escalate privileges on Microsoft Windows 11 and were rewarded with a $30,000 bounty.
  • Marcin Wiązowski used a heap-based buffer overflow to escalate privileges on Microsoft Windows 11 and earned $15,000.
  • Kentaro Kawane of GMO Cybersecurity by Ierae chained 2 Use-After-Free bugs to escalate privileges on Microsoft Windows 11 to snap up $15,000.

All vulnerabilities and exploits successfully used are immediately handed over to Microsoft, and the 90-day disclosure clock starts ticking as soon as the demonstration is completed. It then has that time to develop a patch and release a patch to secure the Microsoft Windows 11 operating system. “As the world’s top security researchers push technology to its limits,” Childs said, adding that “exploits, surprises and breakthrough discoveries are unfolding.” I will report back with more news as the event continues.