Google is expanding its successful Pwnium vulnerability reward program–which has run at various security conferences for a couple of years now–to run continuously and offer an unlimited pool of financial rewards.
Pwnium originally was established as an alternative to the Pwn2Own hacking contest at CanSecWest every spring. The Pwn2Own contest has been the origin of some high-profile vulnerabilities and attack techniques for the last decade, and the rules of the contest require winners to disclose the details of the vulnerability and the crash that leads to it. Google’s Pwnium has a different set of rules that ask winners to disclose all of the details of a vulnerability in Chromium along with the exploit.
That difference kept some researchers away from the Pwnium contests, but Google got its share of entrants and high-risk vulnerabilities. Now, the company is opening the program up on a continuous basis and placing no limit on the amount of money available for qualifying vulnerability submissions. The goal is to help prevent researchers from hoarding bugs until the next iteration of the contest and open the program up to more people.
“If a security researcher was to discover a Pwnium-quality bug chain today, it’s highly likely that they would wait until the contest to report it to get a cash reward. This is a bad scenario for all parties. It’s bad for us because the bug doesn’t get fixed immediately and our users are left at risk. It’s bad for them as they run the real risk of a bug collision. By allowing security researchers to submit bugs all year-round, collisions are significantly less likely and security researchers aren’t duplicating their efforts on the same bugs,” Tim Willis of the Chrome security team said in a blog post Tuesday.
In past years, Google has allocated a set amount of money for potential Pwnium rewards, but with the change in the program there is now no upper limit on how much money is available to researchers.
“For those who are interested in what this means for the Pwnium rewards pool, we crunched the numbers and the results are in: it now goes all the way up to $∞ million,” Willis said.