Reward is now 5 BTC for a successful hack. See the winner link on the homepage at http://www.h4xcomp.com/
for details on the successful tactic.
I was looking at the details page, and one conclusion you came to was that bitcoind running as root was more secure than bitcoind running as www-data. However, I don't think either is correct; bitcoind should run as its own user in its own group for the most ideal security. The reason is that if somehow it became possible to cause the bitcoind process to execute arbitrary code via some kind of exploit, it would be contained inside the dedicated user and group (theoretically), instead of being allowed to run rampant as root.
I am fairly sure it doesn't need root privileges to run, but if it does you can then use a chroot jail for the best security.
Good point, I will update it with this info. Sounds obvious now you say it, good to get these things sorted out now rather than later. Thanks for picking that up and posting.