VANCOUVER–Well, that didn’t take long. Before the first session of the CanSecWest conference here even started on Wednesday, a researcher had already succeeded in scoring a full compromise of Google Chrome, using two distinct bugs, and earning himself a $60,000 reward as part of the company’s Pwnium contest.
The contest is being run in conjunction with the conference and parralel to the older Pwn2Own contest. Google put up its own fund of $1 million to be paid out in increments of $60,000, $40,000 or $20,000, depending on the severity and kind of bug used. In the case of this first successful exploit against Chrome, researcher Sergey Glazunov combined two separate bugs in order to gain a full compromise of the browser.
In past years, Google has taken part in the Pwn2Own contest and contributed sponsorship money that goes to the winners. This year, however, the company decided that it would be better served running its own contest, mainly because it was interested in getting not just the bugs researchers use, but also the exploits. That’s not part of the Pwn2Own structure.
“The aim of our sponsorship is simple: we have a big learning opportunity when we receive full end-to-end exploits. Not only can we fix the bugs, but by studying the vulnerability and exploit techniques we can enhance our mitigations, automated testing, and sandboxing. This enables us to better protect our users. While we’re proud of Chrome’s leading track record in past competitions, the fact is that not receiving exploits means that it’s harder to learn and improve,” Google’s Chris Evans and Justin Schuh wrote in a blog post last week.
The Pwnium contest is structured in such a way that there can be multiple winners at each level of reward, until the $1 million limit is reached. In past years, no researcher has been successful in compromising Chrome during Pwn2Own, with the contestants preferring instead to go after Apple Safari, Mozilla Firefox or Microsoft Internet Explorer.
The researcher who won the first $60,000 reward here has been a frequent beneficiary of Google’s generosity in the past. Glazunov has received thousands in rewards through the company’s bug bounty program for Chrome in the last couple of years.
Last year, Google was able to patch one of the bugs used in Pwn2Own within a day, and company officials said they hope to be able to fix this issue in roughly the same time frame.