Rival hacking contests kick off today with $1.1M at stake
HP TippingPoint argues Google's 'Pwnium' money is safe because Chrome sandbox-escape exploits are worth more than Google's paying
Computerworld - Two hacking contests kicked off in Canada today, with hundreds of thousands of dollars in prize money up for grabs.
HP TippingPoint's Pwn2Own and Pwnium, Google's offshoot, both begin today at CanSecWest, a security conference that runs March 7-9 in Vancouver, British Columbia.
Just a week ago, there was to be only Pwn2Own, now in its fifth year, with both TippingPoint's Zero Day Initiative (ZDI), the company's bug bounty program, and Google promising to pitch in prize money.
For its part, ZDI committed $105,000 that would award $60,000 for the top score in a three-day event combining zero-day bug exploits with on-site hacking challenges.
Google, meanwhile, said it would pay up to $20,000 for any exploit of its own Chrome browser.
But on Feb. 27, Google withdrew from Pwn2Own, saying the contest did not require participants to hand over their exploits or divulge all the bugs they used to hack Chrome.
Instead, Google announced Pwnium, a separate event that will pay up to $60,000 for any exploit that leverages only bugs in Chrome. Google pledged to pay out as much as $1 million if several researchers stepped forward with Chrome-only "zero-day," or previously unknown, vulnerabilities and their exploits.
"Pwnium" is a play on Chromium, the name of the open-source project that feeds code to Chrome, and like its rival contest, uses "pwn," hacker-speak for "own," as in to seize control of a computer.
In a lengthy blog post last week, ZDI gave its side of the disagreement that had led Google to pull out of Pwn2Own.
ZDI argued that its goal was to get researchers to reveal bugs -- TippingPoint then adds blockers for those vulnerabilities to its enterprise-grade security appliances -- and wasn't necessarily interested in the exploit details.
But exploits are what Google wants to examine, said a pair of its engineers last week.
The dispute over vulnerabilities versus exploits, said ZDI, centered around "sandbox escapes," attacks that let a hacker break out of the isolating anti-exploit sandbox used by Chrome to keep malware in the browser and out of the operating system or other applications.
"Pwn2Own has never required that contestants give up such sandbox escapes. We do require that they demonstrate them, in order to verify that they did indeed 'hack' the target, but we have never required they disclose the escape to us or the vendor," said ZDI [emphasis in original].
It's done that, said ZDI, because it believes that prize money -- even the top $60,000 it will award this year and the identical amount Google plans on paying -- isn't enough to shake loose the very rare sandbox-escape vulnerabilities and ensuing exploits.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts