Google raises ante for next Chrome hacking contest to $2M
That's double the maximum of March's first Pwnium
Computerworld - Google yesterday said it will pay up to $2 million for major vulnerabilities in its Chrome browser at a second Pwnium hacking contest this fall.
Pwn2Own, a rival contest sponsored by Hewlett-Packard, will award as much as $200,000 in a mobile-specific challenge slated to run several weeks earlier.
Google's Pwnium 2 will take place at the Hack In The Box security conference on Oct. 10 in Kuala Lumpur, Malaysia.
Like the inaugural Pwnium, which Google sponsored in March at the CanSecWest conference in Vancouver, British Columbia, the upcoming challenge will pit researchers against the then-current version of Chrome. Vulnerability and exploit experts who demonstrate exploits of previously-unknown bugs will be eligible for awards of up to $60,000 for each flaw.
For what Google calls a "full Chrome exploit" -- one that successfully hacks Chrome on Windows 7 using only vulnerabilities in Chrome itself -- Google will pay $60,000 -- the same amount it handed out at the first Pwnium.
A partial exploit that uses one bug within Chrome and one or more others -- perhaps in Windows -- will earn a researcher $50,000, a 25% increase over the same category in the CanSecWest contest. Finally, Google will pay $40,000 for any "non-Chrome" exploit that doesn't involve the browser, but reveals a flaw in, for example, Windows or Adobe's Flash Player -- which is bundled with Chrome.
Google also added a new class of awards for incomplete exploits. "We want to reward people who get 'part way' as we could definitely learn from this work," Chris Evans, a software engineer on the Chrome security team, said in a Wednesday post to Google's Chromium Blog. "Our rewards panel will judge any such works as generously as we can."
The company committed up to $2 million total to Pwnium 2, twice the maximum it risked for the original. It's unlikely it will end up paying anywhere near $2 million; in March, it wrote checks totaling $120,000, or 12% of the $1 million limit.
To claim any award except in the "incomplete" category, researchers must not only pinpoint the vulnerability but also provide working exploit code to Google.
Evans repeated what Google had said earlier, that the original Pwn2Own was a success. "We were able to make Chromium significantly stronger based on what we learned," he said, referring to the name of the open-source project run by Google that then feeds code into Chrome itself
Both researchers who won $60,000 prizes at the March event -- Sergey Glazunov and someone identified only as "PinkiePie" -- also took home the Pwnie Award last month in the "Best Client-Side Bug" category for their Chrome work.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Cybercrime and Hacking White Papers | Webcasts