It depends:
On Thursday, South Korean security researcher and serial browser hacker JungHoon Lee, known online as lokihardt, single-handedly popped Internet Explorer 11 and Google Chrome on Microsoft Windows, as well as Apple Safari on Mac OS X.Lee’s attack against Google Chrome earned him the largest payout for a single exploit in the history of the competition: $75,000 for the Chrome bug, an extra $25,000 for a privilege escalation to SYSTEM and another $10,000 for also hitting the browser’s beta version—for a total of $110,000.
The IE11 exploit earned him an additional $65,000 and the Safari hack $50,000.
Lee’s accomplishment is particularly impressive because he competed alone, unlike other researchers who teamed up, HP’s security research team said in a blog post. . . .
Most of the attacks demonstrated at Pwn2Own this year required chaining of several vulnerabilities together in order to bypass all defense mechanisms put in place in operating systems and browsers to prevent remote code execution.
The final count for vulnerabilities exploited this year stands as follows: five flaws in the Windows OS, four in Internet Explorer 11, three each in Mozilla Firefox, Adobe Reader, and Flash Player, two in Apple Safari and one in Google Chrome. All bugs were reported to the affected vendors after the contest, as part of the competition’s rules.
So for some of the browsers, the answer was ALL THE WAY TO SYSTEM, or ROOT in the terminology of UNIX and Linux systems. In the case of Safari, and the Mac, the Pwn2Own, has never succeeded in every reaching ROOT. . . and this time was no different. They did not even get to the user level access. They got into the browser and could see things like history and Bookmarks, etc., but not install anything. . . No administrator level access.
The bounties are paid by the various manufacturers and publishers of the products.
IMHO, you’re not pwned if your attacker doesn’t get #. What good is a user account on *nix?