"People hold them for the whole year just to use them here"
But does this mean that they will leave the vulnerability alive for a year, half-year (or whenever before the conference they found it) by not reporting it to the vendors till the conference? Because from the description it looks like it has to work on the latest versions of the browser (for example Chrome 42).
There is another perverse incentive. It has been suggested that in previous years the browser vendors were sitting on fixes and waited till the week before pwn2own to release them.
This was one of Google's stated motivations for recently changing Pwnium from an in-person event similar to Pwn2Own (and held at the same conference 3/4 times, IIRC) to a more traditional year-round bug bounty.
Me, I'm going to miss the experience of sitting at the little dinky hotel cafe with bad Wi-Fi and frantically trying to finish up the exploit before the contest ends. And the press coverage was a bonus...
But does this mean that they will leave the vulnerability alive for a year, half-year (or whenever before the conference they found it) by not reporting it to the vendors till the conference? Because from the description it looks like it has to work on the latest versions of the browser (for example Chrome 42).