Pwnium 2: Google pledges $2 million for Chrome exploits
As part of its second Pwnium contest, Google will offer up to $2 million in rewards to security researchers who can find and exploit vulnerabilities in its web browsers. The company's next security competition, "Pwnium 2", will take place on 10 October at the Hack In The Box conference in Kuala Lumpur, Malaysia but is independent of the event.
For vulnerabilities that fully exploit the latest stable branches of Chrome and Chromium (the open source upstream release of the Chrome browser), Google will award researchers $60,000, as it did in the first competition. However, responding to feedback, the other rewards levels have been brought closer together. Vulnerabilities that only partially exploit Chrome, such as those that combine a bug in WebKit with one in Windows, will now receive $50,000.
The company is also offering a reward of $40,000 for non-Chrome security holes in, for example, Adobe Flash or Windows itself. "We're happy to make the web safer by any means – even rewarding vulnerabilities outside of our immediate control," said Google Software Engineer Chris Evans.
The company is also prepared to reward "incomplete exploits" where an unreliable or incomplete exploit such as those that execute code inside of the Chrome sandbox but fail to escape it. As Google says it could still learn from this work, it wants to reward these exploits too though the amounts will be determined by the rewards panel.
The winner of the best exploit will also receive the system being targeted during the contest: an Acer Aspire laptop. In the announcement, Evans says that the first Pwnium contest, which took place earlier this year at the CanSecWest conference, exceeded the company's expectations and helped to make Chromium significantly more secure. Two submissions were awarded a total of $120,000 at the first event. The researchers who discovered the exploits also went on to win Pwnie Awards at this year's Black Hat security conference for their work.
- Google offers larger rewards to vulnerability hunters, a report from The H.