Depending upon your perspective, the third iteration of Google Pwnium at this year’s CanSecWest conference was either a mild failure or a huge success. No researchers were able to come up with a full compromise of the Chrome OS, the target in this year’s contest, but Google said this week that it did receive a partial qualifying entry from one researcher and awarded him $40,000 for his efforts.
Google first ran the Pwnium contest at last year’s CanSecWest conference and received a pair of winning entries, each of which qualified for a $60,000 reward. That contest focused on the Chrome browser. This time around Google was interested in bugs in its Chrome OS, which runs on Chromebook laptops. The company was offering more than $3 million in possible rewards for new vulnerabilities in the oeprating system.
By the end of the contest two weeks ago, Google hadn’t received any full winning entries. However, an anonymous researcher known as Pinkie Pie, who had submitted winning entries in each of the previous two Pwnium contests, including one at Hack in the Box last fall, was working on an exploit when time ran out. He demonstrated a partial exploit that worked on several bugs he had discovered, so Google’s security team decided to give him a partial payout for his efforts.
“At Pwnium, we didn’t receive any winning entries, but did reserve the right to issue “partial” rewards. We’re pleased to reward $40,000 to Pinkie Pie, who submitted a plausible bug chain involving video parsing, a Linux kernel bug and a config file error. The submission included an unreliable exploit demonstrating one of the bugs. We’ve fixed most of these bugs already,” Chris Evans of Google’s security team said.
“In particular, we’d like to thank Pinkie Pie for honoring the spirit of the competition by disclosing a partial exploit at the deadline, rather than holding on to bugs in lieu of an end-to-end exploit. This means that we can find fixes sooner, target new hardening measures and keep users safe.”
During the Pwn2Own contest that ran concurrently with Pwnium, researchers from MWR Labs in the UK were able to compromise Chrome, earning a nice reward from the HP Zero Day Initiative, but Chrome OS withstood the concerted efforts of the research community, save Pinkie Pie.