Google has decided to do away with its annual chromium security event that rewards individuals for disclosing exploits. At a time when privacy and security is paramount, you’re probably wondering why Google is disbanding Pwnium.
The answer is simple, really – it’s becoming a year-round bounty program.
Tim Willis, described as a hacker philanthropist within the Chrome Security Team, announced the change in a blog post on Tuesday. The shift in strategy is happening for a couple of different reasons, Willis said.
Up to this point, Pwnium competitors were required to meet several requirements leading up to the one-day event including having a bug chain in advance, pre-registering and actually attending the event in person. While this more or less weeded out all but the top researchers in the field, it also meant that many others were left sitting on valid vulnerabilities that could easily have went unreported.
Along that same line of thinking, it’s highly plausible that some people found event-worthy bugs well in advance of Pwnium but waited until the event to report it in exchange for a big incentive. How big, you ask?
Last year’s meet-up was held at the CanSecWest security conference in Vancouver, offering a total of $2.71828 million (that’s not a random amount, by the way) in rewards.
The move to a year-round program would seemingly mean less money per disclosure but apparently that’s not the case. Willis said they crunched the numbers and, well, there’s no limit on yearly payouts. They will be adding the Pwnium-style bug disclosures to the Chrome Vulnerability Reward Program which will boost the top reward to $50,000. And again, this reward will be offered year-round.
But above all else, Willis said security researchers requested the change.
https://www.techspot.com/news/59861-google-rolls-annual-pwnium-bug-disclosure-contest-year.html
