Updated below to clarify that Google‘s Pwnium contest will take place separately from the Zero Day Initiative’s Pwn2Own competition. For the last three years,
Google’s Chrome browser has left the world’s premiere hacking competition unscathed, even as Firefox, Internet Explorer and Safari have all been taken down by the assembled security researchers. So in a new contest it’s launching this year, Google is offering hackers a million reasons to re-focus their efforts.
Google
announced Monday evening that it’s offering up to a million dollars in rewards at a hacking contest it’s calling Pwnium, which take place at the same time as the annual Pwn2Own hacking contest at the CanSecWest security conference in Vancouver. Hackers don’t necessarily need to target Chrome to win a chunk of that money: Google is paying $20,000 to any participant who can exploit hackable bugs in Windows, Flash, or a device driver, security problems that would affect users of all browsers. But for hacks that include flaws specific to Chrome, Google will pay $40,000 each, and for those that exploit
only bugs in Chrome, the company will shell out $60,000, up to its million dollar limit.
In fact, Google’s rewards may end up dwarfing those offered by the longer-running Pwn2Own’s organizer, the Hewlett-Packard-owned Zero Day Initiative. HP plans to offer $60,000 to the first place winner of its competition, $35,000 to the second, and $15,000 to the third place contestant,
using a point system to determine those placements.
And why is Google willing to pay seven figures to see its browser taken apart in public? Because, the company explains in a
blog post, the annual hacking contest offers a chance to test Chrome’s mettle against some of the world’s most innovative hackers in a setting where any new flaws can be identified and patched. In return for its rewards, Google demands any winning researcher submit the details of the exploited flaws to its security team, a condition that ZDI doesn’t impose on its winning hackers. ”Not only can we fix the bugs, but by studying the vulnerability and exploit techniques we can enhance our mitigations, automated testing, and sandboxing,” Chrome security engineers Chris Evans and Justin Schuh write. “This enables us to better protect our users.”
The Pwn2Own and Pwnium competitions aren’t the only time researchers can be paid for digging up security flaws in Chrome. Like other companies including Mozilla and Facebook, Google offers “bug bounties” to researchers, and its flaw-buying program
has given out more than $300,000 in payments over the last two years.
Since Chrome first appeared as a target in the Pwn2Own contest in 2009, participating hackers haven’t even tried to exploit the browser, focusing instead on the array of other software and devices laid out as the contest’s victims. Because security exploits are usually developed well ahead of the contest, that’s a sign that none of the researchers could find a chink in Chrome’s armor–its security features include sandboxing, which limits the access of an exploit to the rest of a user’s PC and “just-in-time hardening” that prevents javascript on websites from executing commands on the user’s machine.
Even when Google offered an extra $20,000 to anyone who could hack its browsers last year, no one took up the challenge. That result provides great marketing fodder, but Google says it’s more eager to expose bugs in its code–hence this year’s massive payouts. “While we’re proud of Chrome’s leading track record in past competitions, the fact is that not receiving exploits means that it’s harder to learn and improve,” Evans and Schuh write. “To maximize our chances of receiving exploits this year, we’ve upped the ante.”
