Search giant Google is planning a third iteration of its vulnerability-finding contest, Pwnium. This year’s competition is set to be held alongside next month’s CanSecWest security conference on March 7 in Vancouver, BC. Unlike last year’s inaugural Pwnium, which was parallel to CanSecWest’s older Pwn2Own competition, this year Google teamed up with HP’s Zero Day Initiative, the group behind Pwn2Own, to work on the contest’s outlines and “underwrite a portion of the winnings.”
As Google’s Chrome browser is already included in CanSecWest’s Pwn2Own competition, the company is planning to open its still relatively new Chrome OS up to attackers. Google will award up to $3.14159 million total to contestants who are able to compromise the Linux-based OS, committing about $1 million more than it put up for the second Pwnium, and $2 million more than it put up for the first Pwnium.
Google security researcher Chris Evans said on the Chromium Blog the company will offer $110,000 for a “browser or system level compromise in guest mode or as a logged-in user, delivered via a web page” and $150,000 for a “compromise with device persistence — guest to guest with interim reboot, delivered via a web page.”
Anonymous security researcher PinkiePie made waves at the first Pwnium by exploiting the Chrome browser by stitching together six different vulnerabilities. At the Hack in the Box conference in Kuala Lumpur, Malaysia in October the researcher went on to produce a full exploit and break the browser’s sandbox in the second edition of Pwnium. While there are fewer reward levels this time through, the $3 million-plus the company has put up is a substantial increase from the $2M it offered in October.
For Pwnium 2, Google rewarded those able to crack Chrome in $40,000, $50,000 and $60,000 increments, a fraction of the $110,000 and $150,000 increments being offered this year.
“We believe these larger rewards reflect the additional challenge involved with tackling the security defenses of Chrome OS, compared to traditional operating systems,” Evans wrote on Monday.
To be eligible, those who think they can compromise Chrome OS must be able to do so on a WiFi model of the Samsung Series 5 550 Chromebook running the latest build of the operating system.
Officials from Google have talked up the security of its Chrome OS, claiming the system comes “hardened,” includes its own sandbox to reduce susceptibility to malware and is largely cloud-based. The operating system first surfaced on a select number of cr-48 laptops in late 2010 and 2011 while second-generation Chromebooks, produced by Acer and Samsung became more commercially available in 2012.
Bug bounty programs, especially Google’s, have caught on in years past. The company continues to pay researchers for discovering vulnerabilities in its Chrome browser on a regular basis. While Pinkie Pie was the only researcher who successfully submitted an exploit for Chrome at Hack in the Box — netting a cool $60,000, Google has continued to increase reward denominations for each Pwnium so far.
“This signals to us that bugs are becoming harder to find, as the efforts of the wider community have made Chromium significantly stronger,” Evans said last summer, a statement that appears to still ring true.
