Google has been handing out rewards to researchers who discover vulnerabilities in the company’s products and Web properties for several years now, both through its Chrome bug bounty program and its Pwnium contest at this year’s CanSecWest conference. Company officials say that the programs have been quite successful at finding and fixing bugs, so much so, in fact, that the number of new submissions have been dropping off lately. Instead of closing down the reward program, however, Google this week said it will pay even more for some bugs and also announced that is reprising the Pwnium contest at Hack in the Box in Malaysia this Fall, offering up to $2 million in rewards.
Pwnium is designed to reward researchers who come up with new vulnerabilities in Google Chrome and can use them to produce full compromises of the browser to get remote code execution. In the first iteration, Google put together a pool of up to $1 million to pay out in various increments for such exploits, and ended up getting two submissions that qualified for the highest reward of $60,000. Both of those entries used complex methods and multiple vulnerabilities and Google researchers said at the time that they were impressed with the quality of the submissions.
Now Google is doubling the total amount of money available for rewards to $2 million and also is increasing the value of some of the lower-level rewards to $40,000 and $50,000, respectively. The top reward will be reserved for exploits that achieve a full compromise of Chrome running on Windows 7, using only bugs in the browser itself. To earn $50,000 researchers will need to achieve the Chrome compromise using at least one browser bug and one other, perhaps in a Windows component. The $40,000 reward will go to entrants who use non-Chrome vulnerabilities, including bugs in apps such as Flash.
There’s also a special reward in this version of Pwnium for submissions that the panel of judges think deserve some attention, even if the exploit isn’t 100 percent reliable.
“For example, code execution inside the sandbox but no sandbox escape; or a working sandbox escape in isolation. For Pwnium 2, we want to reward people who get ‘part way’ as we could definitely learn from this work. Our rewards panel will judge any such works as generously as we can,” Chris Evans of Google’s security team said.
The Pwnium 2 contest will be Oct. 10 at Hack in the Box, which takes place in Kuala Lumpur. Aspiring entrants will have a difficult task ahead of them, as they’ll be working on a fully patched version of Chrome running on Windows 7. Both the browser and the operating system include a number of exploit mitigations and protection mechanisms that will make the researchers’ job quite difficult. They’ll also have to serve the exploit from a password-protected Google property over HTTPS.
But, then again, $2 million is a lot of money.