Google threw down the gloves on their Chromium Blog yesterday with an announcement that they would pay out up to $1 million in prize money for Chrome exploits at CanSecWest this year.
The blogpost also announces that Google will no longer sponsor or officially participate in Pwn2Own because of a new policy that states contestants may enter Pwn2Own but don’t have to reveal their full exploits to vendors. Instead, Google has decided to pursue their Chromium Security Awards Program on its own.
In the five years of Pwn2Own contests, Chrome has yet to be pwnd or owned, a fact that many security experts attribute to Chrome’s sandbox. It may sound boastful that the search giant is offering up so much money, but Google claims they sincerely want researchers to compromise Chrome so they can, in addition to fixing the bugs, learn more about vulnerability and exploit techniques to improve their mitigation, automated testing, and sandboxing efforts.
“While we’re proud of Chrome’s leading track record in past competitions, the fact is that not receiving exploits means that it’s harder to learn and improve,” wrote Google’s Chris Evans and Justin Schuh.
Google has established three reward categories and will continue to pay for exploits until they reach that $1 million threshold. A $60,000 prize will be awarded for full Chrome exploits if users can compromise the browser with bugs found only in Chrome. A $40,000 prize will be offered for partial Chrome exploit if users can compromise Chrome with a combination of at least one Chrome bug and other non-Chrome bugs. There will also be $20,000 consolation reward for hackers that uncover vulnerabilities not specific to Chrome that would affect users of any browser.
Winners will also receive a complimentary Chromebook.
The rewards will be granted on a first-come-first-serve basis. Each set of bugs must be reliably exploitable, fully functional from end to end, present in Chrome’s most updated form and genuine 0-days submitted to and judged by Google.