Google has offered a total of $1 million for hackers in the Pwn2Own hacker contest if they find security exploits in their Chrome browser, the company’s security team announced. In its sixth year of running, the Pwn2Own contest has seen vulnerabilities being exposed for fully patched and functional browsers such as Internet Explorer and Safari. However, no hacker group has tried aiming at Chrome, especially since it is well protected behind a sandbox.
Google stated that the rewards – awarded in a first-come first-serve basis to anyone who can show the exploit – will be tiered with $60,000 going for a full-browser exploit, $40,000 for a partial exploit and $20,000 as a consolation reward:-
$60,000 – “Full Chrome exploit”: Chrome / Win7 local OS user account persistence using only bugs in Chrome itself.
$40,000 – “Partial Chrome exploit”: Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows sandbox bug.
$20,000 – “Consolation reward, Flash / Windows / other”: Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver. These exploits are not specific to Chrome and will be a threat to users of any web browser. Although not specifically Chrome’s issue, we’ve decided to offer consolation prizes because these findings still help us toward our mission of making the entire web safer.
The rewards will be given away until the $1 million mark is reached. The winners will also receive a Chromebook (yay!). However, Google withdrew from sponsoring Pwn2Own this year, since they found out that the hackers are not required to publish the entire exploit this year.
Originally, our plan was to sponsor as part of this year’s Pwn2Own competition. Unfortunately, we decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits (or even all of the bugs used!) to vendors.