I saw that with the pwn2own contest... did you see, BOTH apple and Google are playing a little dirty here.
The contest requires the contestants to work on "fully patched" machines. There's no grace time, software updates are run just before they start.
Both apple and google released updates immediately before the contest started. It's unreasonable to believe that the entrants in the contest are sitting down, cracking their knuckles, and saying "ok lets look around for a hole". Naturally they're bringing in zero-day exploits they've been polishing for weeks or months. So there's (A) a chance that the new surprise updates will block the exploit, and more importantly (B) a very high chance that an exploit that still works will have to be tweaked due to the binary being recompiled and addresses changing.
I personally don't think that's fair to allow patches the manufacturers are deliberately withholding until a few hours before the contest to be installed. There should be a cutoff of say, one week. Testing the security of something that was "released" an hour ago is not a practical real-world scenario unless you're releasing updates every day. Systems will have an average lag time of weeks usually before available patches are applied, and the contestants should have the opportunity to try to beat a system they've had a little time to work on beforehand.
But I can see the other side of it, it would also be nice to see just how well an unprepared hacker can do against a new binary. That could be very hard to enforce though, how do you tell them they're not allowed to use priorly developed private exploits? It's probably not possible, so all you do by applying last-hour-upates is to take a random pot shot at the contestants, some of which may have worked very hard to find a major hole, one that requires many hours of tweaking to make work properly, that now has changed locations and will require hours of adjustment. (the hole is still there, the target has simply moved, it's no more secure than it was an hour ago, it's just going to eliminate them from the contest due to the added investment in time just introduced)
I work for the Department of Redundancy Department
