Google: We'll pay $100k if you can hack a Chromebook remotely

Google has doubled its reward for hackers who can breach Chromebooks in a locked-down state known as Guest Mode.


Google paid out more than $2m to researchers for reporting security bugs last year, but still no one has been able to successfully hack a Chromebook.

Image: ASUS

Google has put up a $100,000 reward for anyone who can find a way to hack its Chromebook over the web.

The move doubles last year's top reward of $50,000, available exclusively for attacks that achieve a persistent compromise on a Chromebook in 'guest mode', meaning the attacker's code sticks around on the device even after a reboot and affects subsequent guest-mode sessions.

In the context of a Chromebook, guest mode is a locked-down state designed to support device sharing, which protects the owner's Chrome profile from tampering, and is meant to ensure browser data and cookies vanish at the end of a session.

But as Google outlined on Monday, in the year since it dangled the $50,000 Chromebook reward under its Chrome Reward Program, it hasn't received a single successful submission.

Read this

Google increases rewards for bug bounty programs

Even though it only recently increased its rewards for researchers who collaboratively disclose vulnerabilities with the company, Google has again increased its bug bounties, particularly around cross-site scripting flaws.

"That said, great research deserves great awards, so we're putting up a standing six-figure sum, available all year round with no quotas and no maximum reward pool," Google security team members said.

According to Google's rewards page: "We have a standing $100,000 reward for participants who can compromise a Chromebook or Chromebox with device persistence in guest mode, ie, guest-to-guest persistence with interim reboot, delivered via a web page."

Google has previously offered more for the same attacks on Chromebooks at the Pwnium hacking contest but that was a one-day prize under competition rules rather than a year-round offer.

With attacks on Chromebooks accounting for none of the more than $2m Google paid out to researchers for reporting security bugs last year, the new top reward is designed to encourage more activity in this area.

Google has also broadened its bounty program to include attacks on its Safe Browsing technology, which protects Chrome users from known malicious URLs on the web and potentially unwanted applications.

The new bounty, Download Protection Bypass, offers up to $1,000 for reports that bypass the feature, which is meant to flag when a user attempts to download a malicious file and provide an option to keep or discard the file.

Google is more likely to reward those who can sneak a binary into a location such as the Downloads folder where a user is more likely to execute it.

Read more about Google security


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All
See All