Google is hosting its third Pwnium hacking competition in March and has announced that a total of $3.14159 million in rewards will be up for grabs -- in allusion to the mathematical constant Pi. Instead of its Chrome browser, however, this year the focus will be on Chrome OS with individual prizes in two different levels: $110,000 for browser or system level compromise in guest mode or as a logged-in user, delivered via a web page, and $150,000 for a compromise with device persistence (guest to guest with interim reboot) delivered via a web page.
That’s a significant jump from last year’s total prize pool of $2 million and up to $60,000 per Chrome vulnerability. Writing on the Chromium blog, Chris Evans, an engineer with the Google Chrome Security Team explained that “these larger rewards reflect the additional challenge involved with tackling the security defenses of Chrome OS, compared to traditional operating systems.”
Google notes that the attack must be demonstrated against a base Wi-Fi model of the Samsung Series 5 550 Chromebook, running the latest stable version of its operating system, and served from a password-authenticated and HTTPS-supported Google property, such as Google App Engine. The attacks must employ unknown vulnerabilities and Google reserves the right to pay partial rewards for incomplete exploits.
As usual, the company is also requiring full disclosure on how the attack works in order to be eligible for a reward. That includes delivering all the source code and a breakdown of the bugs used in the exploit.
The full disclosure requirement was a point of contention last year at the simultaneous Pwn2Own hacking event and ultimately caused Google to withdraw its support. Namely, winners only had to demonstrate the successful conclusions of their attacks, meaning they could walk away with the prize money as well as an undisclosed zero-day vulnerability to sell -- governments have been known to pay good money for these.
That’s changed this year, however. Google will be present at both events which are scheduled to take place at the CanSecWest security conference between March 6 and March 8 in Vancouver, Canada. The prizes lined up by the HP TippingPoint's Zero Day Initiative for Pwn2Own are as follows:
- Google Chrome on Windows 7 ($100,000)
Microsoft Internet Explorer, either
- IE 10 on Windows 8 ($100,000), or
- IE 9 on Windows 7 ($75,000)
- Mozilla Firefox on Windows 7 ($60,000)
- Apple Safari on OS X Mountain Lion ($65,000)
Web browser plug-ins using Internet Explorer 9 on Windows 7
- Adobe Reader XI ($70,000)
- Adobe Flash ($70,000)
- Oracle Java ($20,000)