Google puts $1M on the line for Chrome exploit rewards
Pulls out as Pwn2Own sponsor, but will pay up to $60K for each proven exploit
Computerworld - Google on Monday withdrew as a sponsor of next month's Pwn2Own hacking contest, and will instead put as much as $1 million up for grabs if researchers can exploit Chrome.
The company will run its own exploit challenge at the CanSecWest security conference, the venue for Pwn2Own, because it objected to what it said was a change in the rules by contest organizer and prime sponsor, HP TippingPoint's bug-bounty program, Zero Day Initiative (ZDI).
"We decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits, or even all of the bugs used, to vendors," said Chris Evans and Justin Schuh, two members of the Chrome security team, in a Monday post to the Chromium blog. "Full exploits have been handed over in previous years, but it's an explicit non-requirement in this year's contest, and that's worrisome."
Pwn2Own's rules say nothing about not handing over complete exploits or all bugs to vendors at the close of the contest, but a Jan. 23 tweet by ZDI said, "To clarify, if a team demonstrates 0day at Pwn2Own 2012, but doesn't end up as a winner, the vuln[nerability] is still theirs and will not be reported."
Previously, Google had promised to pay $20,000 to any researcher who managed to exploit Chrome by leveraging browser-only flaws, and $10,000 for a "partial" exploit that relies on a bug in Chrome in addition to a bug in the operating system.
Because Chrome is "sandboxed" -- an anti-exploit technology that isolates malware -- a hack of the browser typically requires two or more exploits. The first is necessary to get attack code out of the sandbox, and the second is needed to actually exploit a Chrome vulnerability and plant malware on the machine.
But Google is ditching that $20,000 maximum scheme, and will put up to $1 million on the line at CanSecWest, said Evans and Schuh.
"We've upped the ante," said the engineers.
For what they called a "full Chrome exploit" -- one that successfully hacks Chrome on Windows 7 using only vulnerabilities in Chrome itself -- Google will pay $60,000, which is equivalent to Pwn2Own's top prize for that three-day contest.
A partial exploit that uses one bug within Chrome and one or more others -- perhaps in Windows -- earns a researcher $40,000. Finally, Google will pay $20,000 for "consolation" exploits that hack Chrome without using any vulnerabilities in the browser itself.
The only limit Google has put on the challenge is a maximum total payout of $1 million. "We will issue multiple rewards per category, up to the $1 million limit, on a first-come-first served basis," said Evans and Schuh.
For the bigger rewards, Google will require more from researchers, who must demonstrate that the bug(s) are reliably exploitable, of critical impact and true "zero-days" that are unknown to Google and have not been shared with any third parties. Both the vulnerabilities used as well as the full exploit must be handed over to Google so that it can, as Evans and Schuh said, "Enhance our mitigations, automated testing, and sandboxing."
Google's rules also effectively eliminate that few if any working Chrome exploits will be used in Pwn2Own. "Contestant's exploits must be submitted to and judged by Google before being submitted anywhere else," said Evans and Schuh.
Although HP TippingPoint was not available late Monday for comment on Google's departure from Pwn2Own, a Twitter exchange sounded like the split was amicable.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts