Google announces Pwnium 2, $2m in rewards for Chrome hacks

By on August 17, 2012, 10:33 AM

Google has announced it will host a second Pwnium hacking competition this October after withdrawing support for TippingPoint's annual Pwn2Own back in February. The event will take place at the Hack In The Box security conference in Malaysia.  This time the company’s offering up to a total of $2 million in rewards for anyone who can find bugs in its Chrome browser, exploit them, and detail their techniques.

That's double the maximum reward pool of March's first Pwnium in Vancouver -- however, only a small fraction of that was paid last time around, with two submissions totaling just $120,000. 

Google will pay $60,000 for a full Chrome exploit using only bugs in Chrome itself; $50,000 for a partial Chrome exploit using Chrome itself and other browser or Windows flaws such as Webkit or kernel-level flaws; and $40,000 prize would be rewarded for a non-Chrome exploit for a bug in Flash, Windows or a driver. In addition incomplete or unreliable exploits may also receive a prize. "Our rewards panel will judge any such works as generously as we can," the company wrote on its Chromium Blog.

TippingPoint's annual Pwn2Own hacking competition changed some of its rules this year and no longer requires entrants to reveal all the details about exploits used to compromise security. Google called this change "worrisome" and decided to withdraw its support, promoting its Pwnium challenge instead.

Not everyone is interested in Google’s payouts, however. French security company Vupen, which demoed two Chrome exploits at Pwn2Own, has made it clear they have no intention of participating in Google’s competition if it meant revealing an exploit it could instead keep secret and sell to its government customers for considerably more. “We wouldn’t share this with Google for even $1 million,” they said at the time.




User Comments: 2

Got something to say? Post a comment
TJGeezer said:

"French security company Vupen...'wouldn?t share this with Google for even $1 million'"

Essence of drive-off-a-cliff capitalism: If you can make money at the cost of hurting everyone else, why not? Of course, their French government handlers might be about as patient with them for spilling the beans about vulnerable outside network software as similar agencies would be in the US or UK. I guess that would be capitalism+nationalism - the ultimate in "us vs. them" dog pack thinking. Oops, sorry, that title goes to religions.

Guest said:

If the would-be hacker capitalist decides to hold onto potentially valuable exploits they bear the risk it is discovered and fixed/disclosed and they don't get anything. It seems Google has wisely considered that the individual would consider this risk and adjusts Pwnium payouts accordingly. The payout prize amounts should technically fluctuate based on hacker supply, demand and bacon.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.