Google puts $1M on the line for Chrome exploit rewards

Pulls out as Pwn2Own sponsor, but will pay up to $60K for each proven exploit

1 2 Page 2
Page 2 of 2

"Nice to see over that after 5 years of Pwn2Own vendors are finally stepping up and offering big $ for vuln[erabilities]," said Aaron Portnoy, the leader of TippingPoint's security research team and the organizer of Pwn2Own.

The difference in TippingPoint's and Google's goals -- the former seeks vulnerabilities it can add to its intrusion prevention system appliances, the latter wants exploits it can examine -- appeared to be behind the latter's decision to bail out of Pwn2Own.

"We want to study full end-to-end exploits, not just the bugs but also the techniques," said Evans, also on Twitter.

Google tacitly acknowledged that the money it has offered at previous Pwn2Owns -- $20,000 last year, $10,000 in 2010 -- had not been enough to shake Chrome bugs and exploits from the researcher tree.

"While we're proud of Chrome's leading track record in past competitions, the fact is that not receiving exploits means that it's harder to learn and improve," said Evans and Schuh in the Monday blog post.

Chrome's record at Pwn2Own has been impressive: No researcher has been awarded prize money for exploiting Google's browser at the contest. Apple's Safari, Microsoft's Internet Explorer and Mozilla's Firefox -- the other browser targets -- have all been hacked one or more times.

It's possible that that may change this year.

French security firm Vupen, which took home $15,000 at last year's Pwn2Own for exploiting Safari, plans to bring at least one Chrome zero-day to CanSecWest. Last week, Chaouki Bekar, Vupen's CEO and head of research, said that a team from his company would be at Pwn2Own; earlier he had claimed Vupen had zero-days for not only Chrome, but also Firefox, IE and Safari.

Vupen's appearance at Google's CanSecWest table could be awkward: Last May, the French company boasted it had figured out a way to hack Chrome by sidestepping the browser's sandbox and evading Windows 7's own anti-exploit technologies.

Google was unable to verify the claim because Vupen does not report flaw to vendors.

Any vulnerabilities in non-Chrome code revealed by money winners will be turned over to the appropriate vendor, Evans and Schuh promised.

CanSecWest, Pwn2Own and Google's exploit-reward program will take place in Vancouver, British Columbia, March 7-9.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is

Copyright © 2012 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
It’s time to break the ChatGPT habit
Shop Tech Products at Amazon