Google offers $1 million in exploit rewards for Chrome hacks

Filed Under: Data loss, Featured, Google, Malware, Privacy, Vulnerability

ChromeGoogle is offering cash prizes totaling $1 million to hackers, plus a Chromebook, for those who successfully exploit its Chrome browser at the CanSecWest security conference next week.

According to a blog posting put up by the company's security team on Monday, winnings from the so-called Pwnium contest will be meted out according to the following exploit severity:

$60,000 — "Full Chrome exploit": Chrome/Win7 local OS user account persistence using only bugs in Chrome itself.

$40,000— "Partial Chrome exploit": Chrome/Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows sandbox bug.

$20,000 — "Consolation reward, Flash/Windows/other": Chrome/Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver. These exploits are not specific to Chrome and will be a threat to users of any web browser. Although not specifically Chrome’s issue, we’ve decided to offer consolation prizes because these findings still help us toward our mission of making the entire web safer.

The Chrome-specific contest is a departure for Google.

ChromeSince 2009, the company has bared Chrome's neck to contestants of the conference's Pwn2Own competition. In past contests, major browsers — Safari, Internet Explorer and Firefox — have all been pwned.

Chrome is the only browser eligible for Pwn2Own that has never been exploited. Last year, no one even tried.

As noted by Ars Technica, contestants cite the difficulty of bypassing Google's security sandbox for their inability to figure out a successful exploit.

It might make sense for Google's security team to gloat about that, but instead they're smart enough to know how much they can learn from a successful exploit. Here's how Chris Evans and Justin Schuh from the Google Chrome Security Team put it:

The aim of our sponsorship is simple: we have a big learning opportunity when we receive full end-to-end exploits. Not only can we fix the bugs, but by studying the vulnerability and exploit techniques we can enhance our mitigations, automated testing, and sandboxing. This enables us to better protect our users.

In fact, the reason Google's split off from Pwn2Own and set up its own, Chrome-specific hacking contest this year is because of new changes in the Pwn2Own rules — changes that would hamper Google's ability to get their hands on full, successful exploits.

Here's what the security team had to say about the breakaway contest:

We decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits (or even all of the bugs used!) to vendors. Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome. We will therefore be running this alternative Chrome-specific reward program. It is designed to be attractive—not least because it stays aligned with user safety by requiring the full exploit to be submitted to us.

Google will issue multiple rewards per category up to the $1 million kitty, on a first-come, first-served basis.

The company won't split winnings; nor will there be any "winner takes all."

Google says each set of exploit bugs has to be reliable, fully functional end-to-end, disjoint (i.e., have no element in common), of critical impact, present in the latest versions and genuinely "zero-day" — in other words, they can't have been previously reported or shared with third parties.

Exploits also have to be submitted to Google for judging before being shared anywhere else.

Google is guaranteeing to send non-Chrome bugs to the appropriate vendor immediately.

Chrome best, says study funded by GoogleI say kudos to Google.

They've done a lot of bragging about Chrome's superior security compared to competitors' browsers. The Google-funded, "Google Chrome is the BEST!" study comes to mind.

Pwn2Own has underscored that security. But it wouldn't be smart for the company to rest on its laurels.

If it takes $1 million to set those laurels on fire, well, burn, baby, burn.

, , , , , , , ,

You might like

4 Responses to Google offers $1 million in exploit rewards for Chrome hacks

  1. MikeP · 1318 days ago

    Once upon a time Chrome was castigated for collecting user data and information on activities, sending it to Google. Does that still happen? If so, it is not as 'safe' as some are suggesting.

    Using 'users' to find security flaws is an important step in testing, scripted testing and UAT cannot find things that only occur because users do things differently to developers. It's good they are willing to find any bugs and put them right, even better that they will tell other vendors if their software has bugs so they can be fixed.

  2. gdogg · 1318 days ago

    Bring it!

  3. roy jones jr · 1318 days ago

    Interesting step google.

  4. Black A.M. · 1317 days ago

    Problem here is Google want remote code exec and sandbox break outs but are paying WAY under the odds to what the black/grey market and .gov's will offer.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.