Google wants hackers to hammer on Chrome for $1 million

By on February 28, 2012, 6:30 PM

Google has withdrawn support for TippingPoint's annual Pwn2Own hacking competition following rule changes. Previously, entrants were required to reveal all the details about exploits used to compromise security. That stipulation no longer exists and folks are allowed to enter 2012's Pwn2Own without divulging their methods. Google called the practice "worrisome," noting that it's willing to pony up for vulnerability information.

Among other benefits, Pwn2Own is typically a source of positive PR for Google with Chrome surviving past events completely unscathed. Fortunately, hackers will still have an opportunity to try their hand at Google's robust browser during the same conference (CanSecWest) in Canada next month. The search giant will host its own event called "Pwnium," offering up to $1 million in monetary rewards for various degrees of exploitation.

Security experts who achieve a "full Chrome exploit" (Chrome/Windows 7 user account persistence with only bugs in the browser itself) will receive $60,000. Participants will also have an opportunity to bag $40,000 for a partial Chrome exploit (Chrome/Win7 user account persistence using at least one Chrome bug), while a $20,000 "consolation reward" will be offered for non-Chrome-specific bugs, such as those in Flash or Windows.

That's substantially more money than is usually available through Pwn2Own. Last year, Google offered $20,000 for Chrome-only exploits and $10,000 for escaping Chrome's sandbox using non-Google code. In addition to the cash prizes, winners will receive a Chromebook. Naturally, eligible bugs must be fully functional in the latest software versions and true zero-day exploits previously unknown to Google or shared with third parties.

"While we're proud of Chrome’s leading track record in past competitions, the fact is that not receiving exploits means that it's harder to learn and improve. To maximize our chances of receiving exploits this year, we've upped the ante," Google wrote on the official Chromium blog. "[The rewards are] designed to be attractive -- not least because it stays aligned with user safety by requiring the full exploit to be submitted to us."




User Comments: 15

Got something to say? Post a comment
lawfer, TechSpot Paladin, said:

I didn't read it in the article, but how do you achieve a 1 million dollar reward, again?

Staff
Matthew Matthew, TechSpot Staff, said:

The total prize pool is $1 million. Individual vulnerabilities are worth $20-$60k each.

lawfer, TechSpot Paladin, said:

So the prize pool is <i> up to</i> 1 million, not that Google is going to offer 1 million per discovery, as the title incorrectly suggests.

Staff
Matthew Matthew, TechSpot Staff, said:

The title says Google is offering a million bucks per discovery? All it says is the company is offering a million bucks for "hackers to hammer on Chrome" and that's quite accurate.

Staff
Steve Steve said:

The word "hackers" not "hacker" made me think it was multiple hackers sharing in a $1 million prize pool. That said I didn't assume one way or the other, I read the article and got the facts.

lawfer, TechSpot Paladin, said:

Matthew said:

The title says Google is offering a million bucks per discovery? All it says is the company is offering a million bucks for "hackers to hammer on Chrome" and that's quite accurate.

I didn't say the title explicitly said it, I said it suggested it. As in, imply.

There's a reason why this article's title is evidently different. When you say prize pool, is understood whoever hosts the event is willing to give up to X amount of money for the winners, but when you say "Google wants hackers to hammer on chrome for $1 million," sounds more like a competition in which the one with <i>the</i> (or the most) finding(s), will earn the cash. As in, the $1 million.

Staff
Matthew Matthew, TechSpot Staff, said:

And I don't see how it suggests that either. I'm sorry you were mislead, but I believe the title is accurate.

lawfer, TechSpot Paladin, said:

Matthew said:

And I don't see how it suggests that either. I'm sorry you were mislead, but I believe the title is accurate.

Hey, I tried.

---agissi--- ---agissi---, TechSpot Paladin, said:

Im with lawfer, details aside, the title had me confused. Actually the article had me confused even though it read properly because I never saw the million dollar prize. But I see what your saying Matthew.

Staff
Matthew Matthew, TechSpot Staff, said:

Aye, I didn't intend for it to be misleading or sensational etc. Again, if anyone read it as such, I apologize. At least we're all on the same page now .

---agissi--- ---agissi---, TechSpot Paladin, said:

Haha yeah its hardly a big deal. Thanks a lot for bringing us the news we've all come to love.

MilwaukeeMike said:

Steve said:

The word "hackers" not "hacker" made me think it was multiple hackers sharing in a $1 million prize pool. That said I didn't assume one way or the other, I read the article and got the facts.

What said you didn't assume? Or did you mean 'that said' as in 'that being said' or 'having said that' which no one really understand since it means neither 'however' (contrary) or 'in addition to' (supportive). I honestly can't explain what it means... maybe I need to go back to high school... where those phrases belong.

Anyway... $1 million dollar reward is often very misleading. (Even if this was $1 million to a single person) America's Got Talent offers $1 million to the winner. In a 40 year annunity. The lottery pays the same way. They essentially are awading you $1 million and then giving themselves and interest free loan for 40 years (or 20 for the lottery) and only paying you $25000 per year for 40 years.

spydercanopus spydercanopus said:

I'm about to be a millionaire. There are tons of exploits, doesn't Google have google?

Mindwraith said:

lawfer said:

So the prize pool is <i> up to</i> 1 million, not that Google is going to offer 1 million per discovery, as the title incorrectly suggests.

it's not incorrect, you could potentially walk away with one million. it's just very unlikely.

lawfer, TechSpot Paladin, said:

Mindwraith said:

lawfer said:

So the prize pool is <i> up to</i> 1 million, not that Google is going to offer 1 million per discovery, as the title incorrectly suggests.

it's not incorrect, you could potentially walk away with one million. it's just very unlikely.

According to the article (not the title, mind you ), it's a prize pool of up to $1 million. Google expects people to win in certain categories, and these categories have a certain amount in prizes that combined can make up no more than the $1 million. However, there's no category that would grant you the <i>entire</i> prize pool of $1 million, which is why I brought up that the title had a certain disparity with the contents of the article, as the fact that you <i>thought</i> there was indeed a way to win a million does nothing but corroborate what I first said.

It's not really that big of a deal, that's why I'm not giving TechSpot a hard time.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.