Google has announced it will host a second Pwnium hacking competition this October after withdrawing support for TippingPoint's annual Pwn2Own back in February. The event will take place at the Hack In The Box security conference in Malaysia. This time the company's offering up to a total of $2 million in rewards for anyone who can find bugs in its Chrome browser, exploit them, and detail their techniques.
That's double the maximum reward pool of March's first Pwnium in Vancouver – however, only a small fraction of that was paid last time around, with two submissions totaling just $120,000.
Google will pay $60,000 for a full Chrome exploit using only bugs in Chrome itself; $50,000 for a partial Chrome exploit using Chrome itself and other browser or Windows flaws such as Webkit or kernel-level flaws; and $40,000 prize would be rewarded for a non-Chrome exploit for a bug in Flash, Windows or a driver. In addition incomplete or unreliable exploits may also receive a prize. "Our rewards panel will judge any such works as generously as we can," the company wrote on its Chromium Blog.
TippingPoint's annual Pwn2Own hacking competition changed some of its rules this year and no longer requires entrants to reveal all the details about exploits used to compromise security. Google called this change "worrisome" and decided to withdraw its support, promoting its Pwnium challenge instead.
Not everyone is interested in Google's payouts, however. French security company Vupen, which demoed two Chrome exploits at Pwn2Own, has made it clear they have no intention of participating in Google's competition if it meant revealing an exploit it could instead keep secret and sell to its government customers for considerably more. "We wouldn't share this with Google for even $1 million," they said at the time.