Google offers exploit bounties for Pwn2Own and Pwnium
For this year's CanSecWest conference, Google has announced that it will take part both in the Pwn2Own 2013 hacker competition as well as refocus its own Pwnium competition on Chrome OS. Google is both sponsoring Pwn2Own and putting up an additional $3.14159 million (approximately £1.9 million) in rewards for the third instalment of Pwnium, a sum that is an allusion to the mathematical constant Pi. Last year, Google had pulled out of Pwn2Own over a dispute over disclosure of issues and set up its own challenge with Pwnium.
Google says that it is changing the focus of its own competition since the Chrome browser itself will be the target of the Pwn2Own contest. Like the Zero Day Initiative's Pwn2Own 2013, Google's Pwnium 3 will take place on site at CanSecWest. Google will be paying out $110,000 for web-delivered exploits on a browser or system level and $150,000 for exploits that persist reboots. The attacks must be able to penetrate security on the Wi-Fi-only model of the Samsung Series 5 550 Chromebook running the latest stable version of Chrome OS. For security researchers without access to this hardware, Google provides an explanation on how to set up a virtual machine.
While both contests require that exploits have to be delivered with a full explanation and all source code as well as a breakdown of all the bugs that were used to be eligible for rewards, for Pwnium, exploits also have to be served from an HTTPS-enabled and password authenticated Google service like App Engine. The bugs should also be new problems that have not been fixed at the time of the contest.