Google puts $1M on the line for Chrome exploit rewards

Pulls out as Pwn2Own sponsor, but will pay up to $60K for each proven exploit

Google on Monday withdrew as a sponsor of next month's Pwn2Own hacking contest, and will instead put as much as $1 million up for grabs if researchers can exploit Chrome.

The company will run its own exploit challenge at the CanSecWest security conference, the venue for Pwn2Own, because it objected to what it said was a change in the rules by contest organizer and prime sponsor, HP TippingPoint's bug-bounty program, Zero Day Initiative (ZDI).

"We decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits, or even all of the bugs used, to vendors," said Chris Evans and Justin Schuh, two members of the Chrome security team, in a Monday post to the Chromium blog. "Full exploits have been handed over in previous years, but it's an explicit non-requirement in this year's contest, and that's worrisome."

Pwn2Own's rules say nothing about not handing over complete exploits or all bugs to vendors at the close of the contest, but a Jan. 23 tweet by ZDI said, "To clarify, if a team demonstrates 0day at Pwn2Own 2012, but doesn't end up as a winner, the vuln[nerability] is still theirs and will not be reported."

Previously, Google had promised to pay $20,000 to any researcher who managed to exploit Chrome by leveraging browser-only flaws, and $10,000 for a "partial" exploit that relies on a bug in Chrome in addition to a bug in the operating system.

Because Chrome is "sandboxed" -- an anti-exploit technology that isolates malware -- a hack of the browser typically requires two or more exploits. The first is necessary to get attack code out of the sandbox, and the second is needed to actually exploit a Chrome vulnerability and plant malware on the machine.

But Google is ditching that $20,000 maximum scheme, and will put up to $1 million on the line at CanSecWest, said Evans and Schuh.

"We've upped the ante," said the engineers.

For what they called a "full Chrome exploit" -- one that successfully hacks Chrome on Windows 7 using only vulnerabilities in Chrome itself -- Google will pay $60,000, which is equivalent to Pwn2Own's top prize for that three-day contest.

A partial exploit that uses one bug within Chrome and one or more others -- perhaps in Windows -- earns a researcher $40,000. Finally, Google will pay $20,000 for "consolation" exploits that hack Chrome without using any vulnerabilities in the browser itself.

The only limit Google has put on the challenge is a maximum total payout of $1 million. "We will issue multiple rewards per category, up to the $1 million limit, on a first-come-first served basis," said Evans and Schuh.

For the bigger rewards, Google will require more from researchers, who must demonstrate that the bug(s) are reliably exploitable, of critical impact and true "zero-days" that are unknown to Google and have not been shared with any third parties. Both the vulnerabilities used as well as the full exploit must be handed over to Google so that it can, as Evans and Schuh said, "Enhance our mitigations, automated testing, and sandboxing."

Google's rules also effectively eliminate that few if any working Chrome exploits will be used in Pwn2Own. "Contestant's exploits must be submitted to and judged by Google before being submitted anywhere else," said Evans and Schuh.

Although HP TippingPoint was not available late Monday for comment on Google's departure from Pwn2Own, a Twitter exchange sounded like the split was amicable.

1 2 Page
From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies