Google has withdrawn support for TippingPoint's annual Pwn2Own hacking competition following rule changes. Previously, entrants were required to reveal all the details about exploits used to compromise security. That stipulation no longer exists and folks are allowed to enter 2012's Pwn2Own without divulging their methods. Google called the practice "worrisome," noting that it's willing to pony up for vulnerability information.
Among other benefits, Pwn2Own is typically a source of positive PR for Google with Chrome surviving past events completely unscathed. Fortunately, hackers will still have an opportunity to try their hand at Google's robust browser during the same conference (CanSecWest) in Canada next month. The search giant will host its own event called "Pwnium," offering up to $1 million in monetary rewards for various degrees of exploitation.
Security experts who achieve a "full Chrome exploit" (Chrome/Windows 7 user account persistence with only bugs in the browser itself) will receive $60,000. Participants will also have an opportunity to bag $40,000 for a partial Chrome exploit (Chrome/Win7 user account persistence using at least one Chrome bug), while a $20,000 "consolation reward" will be offered for non-Chrome-specific bugs, such as those in Flash or Windows.
That's substantially more money than is usually available through Pwn2Own. Last year, Google offered $20,000 for Chrome-only exploits and $10,000 for escaping Chrome's sandbox using non-Google code. In addition to the cash prizes, winners will receive a Chromebook. Naturally, eligible bugs must be fully functional in the latest software versions and true zero-day exploits previously unknown to Google or shared with third parties.
"While we're proud of Chrome’s leading track record in past competitions, the fact is that not receiving exploits means that it's harder to learn and improve. To maximize our chances of receiving exploits this year, we've upped the ante," Google wrote on the official Chromium blog. "[The rewards are] designed to be attractive -- not least because it stays aligned with user safety by requiring the full exploit to be submitted to us."