Google is sponsoring a second Pwnium contest to reward bug hunters for hacking into systems and up to $2 million in rewards are available to those who can demonstrate a working exploit.
We’re happy to make the web safer by any means -- even rewarding vulnerabilities outside of our immediate control.
Chris Evans, software engineer, Google Inc.
Pwnium 2 competition will be held in October at the Hack In The Box security conference in Malaysia. The search engine giant will put the latest stable version of its Chrome browser in front of hackers. The underlying operating system and drivers will be fully patched and running on an Acer Aspire V5-571-6869 laptop, Google said in a blog entry announcing the Pwnium 2 contest details.
"We’re happy to make the web safer by any means -- even rewarding vulnerabilities outside of our immediate control," wrote Chris Evans, a Google software engineer in the Chromium blog.
Google will reward $60,000 for a full Chrome exploit using only bugs in Chrome itself; and $50,000 for a partial Chrome exploit using Chrome itself and other browser or Windows vulnerabilities such as Webkit or kernel-level flaws. A $40,000 prize would be rewarded for a non-Chrome exploit for a bug in Flash, Windows or a driver. In addition incomplete or unreliable exploits may also receive a prize, Google said. "Our rewards panel will judge any such works as generously as we can," wrote Evans.
Google extended its Chromium Security Rewards Program in February with the introduction of the Pwnium hacking competition at the CanSecWest 2012 conference in Vancouver BC. Pwnium ran alongside the HP-TippingPoint Pwn2Own contest and rewarded researchers with $1 million worth of rewards. The company is one of several companies, including Mozilla and Facebook, which offer bug bounty programs. Microsoft remains opposed to a vulnerability rewards program.
At CanSecWest, Vupen Securitytook down Chrome in the first five minutes of the competition, enabling the researchers to use the attack to bypass the sandbox as well as DEP and ASLR restrictions in Windows. A flaw in Google Chrome was also successfully during Pwn2Own, enabling a researcher to bypass the browser sandbox and gain access to the system.
"We received two submissions of such complexity and quality that both of them won Pwnie Awards at this year’s Black Hat industry event," Evans wrote of the first Pwnium competition. "Most importantly, we were able to make Chromium significantly stronger based on what we learned."