Google offers up to US$2 million to break Chrome

Google offers up to US$2 million to break Chrome

Summary: Google has upped the ante on its competition to break Google Chrome, increasing the total prize pool to US$2 million.

TOPICS: Security, Google

On the back of increasing the bounties for its vulnerabilities rewards program, Google has announced that it will double the kitty for its Google Chrome hacking competition.

Google previously placed Chrome in the firing line at Pwn2Own last year, when it offered US$20,000 to anyone who could break it, but no one stepped up to accept the challenge. Earlier this year, it split off from Pwn2Own with its own bug-hunting competition, called Pwnium, and increased the top reward — for breaking Chrome using Chrome-specific code — to US$60,000. As part of the competition, Google set aside US$1 million in total rewards for anyone who wanted to submit multiple exploits.

Now organising its second Pwnium early to give hackers more notice, Google has raised the total kitty to US$2 million, and increased some of the rewards for exploits.

The top reward still remains at US$60,000, but hackers who are able to break Chrome using non-Chome-specific code or exploits, such as a Windows kernel bug as a springboard, will be rewarded with US$50,000. Previously, this prize was worth US$40,000.

Additionally, exploits directly unrelated to Chrome can be submitted, and are eligible for US$40,000 in rewards. Previously, these were only worth US$20,000. This also means that hackers who find non-Google bugs can still be rewarded for their efforts, even if the owner of the code that they are exploiting has decided not to offer bounties, such as Microsoft.

Lastly, Google is offering to-be-determined rewards for partial exploits, or those that can't be immediately used. Such examples include exploits that work within Chrome's sandbox, but aren't considered an immediate threat because they don't break the sandbox. Google's judging panel will come to a decision on how much these incomplete exploits are worth.

Hackers will be required to demonstrate their exploits on the latest stable release of Chrome, running on a patched fully Acer Aspire V5-571-6869 laptop. The hacker responsible for the best entry will also get to keep the laptop.

The other, more important aspect of the competition is that the exploits must be documented. This ensures that Google is able to patch Chrome's vulnerabilities and/or alert other vendors that are affected. In the last Pwnium, the two winning entries were both blocked within 24 hours of being demonstrated, and later shared on the Chromium Blog so that anyone could learn from Google's mistakes.

Topics: Security, Google

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Google offers up to US$2 million to break Chrome

    Kudos Google.
  • Google is clearly serious about their Chrome browser security on Windows

    I wish they'd do similar with OS X.
    Rabid Howler Monkey
  • You're Kidding! Google Chrome is Already Broken!

    The latest release, 21, is barely functional since it cannot not load pages without hitting the reload or new-tab buttons under win7. From the support forum, they are asking users to dump and post their GPU configurations which means Google is probably trying to increase performance by writing device specific code and not succeeding, or they're using it as a barrier to discourage users from posting problems.

    Starting this week, Chrome 21.0.1180.75, 77, and 79 are toast! So much for rapid/silent release updates, like Firefox got caught in with Flash player problems, but at least Firefox posted a work around!

    This reward thing is ass-backwards -- put out a thoroughly tested product first instead of relying on the end-users to find basic problems!
  • Ya....

    Shouldn't be too hard to break Chrome. Every 2-3 weeks there is a new update to fix a dozen or so security problems in the previous issues. When will it stop.
    Google offers $2 million but in reality way less. Look at the rewards: $40,000 , $50,000 , $60,000... You're talking 40 vulnerabilities - which seems hard - OK maybe not for Chrome. But still. They should tak the $2 million and divide it by the number of vulnerabilities.
    • hey

      please post your input if you're so good
      Jason Santana
  • Not exactly 2 mil.

    More Google suckage.
    How do I break thee?
    Let me count the ways.
    With Chrome code (it's just binhex to me) set up ramjam.
    Reboot for days and days.
    Break it live, don't up the 'sploit, make em pay up maam.
    Why isn't Chrome hacked more(?) Nobody .gif's a damn.
    With Windoze we need not even suffer.
    As it only takes infinity for a simple sum to buffer.
    Multiply X Quintillion googolplex, in negative base float 12
    divide by thirty and one quarter tretagillion, then for an answer delve.
    Use forms in the background to order from Cuba Tobacco, not more than a few zillion
    Lock all resources to the task, no report upon completion.
    Set all .sys,.dll, .exe and .com for deletion.
    On next reboot try to remember DOS 2.01, in Latavian argot.
    And watch your heat sink slowly melt, oops, your CPU is shot.
    Let's smash some apples just for fun.
    Just 'cause Macdaddys claim it can't be done.
    Now let's count the 2,000,000 you were supposed to got.
    Then remind the whole damned world...
    should've listened to Ed Bot.
    And set a sub-routine to name everyone ever called a t.w.a.t.
    You can divide by zero, in negative base,
    but your computers guts will overcook, and spray melted MoBo on your face.
    Leave my 2 mill on the porch, under the pot plant in the vase.
    Why take a few grand for something worth millions in the right wrong hands?
    phug em and feed em fish heads, it's easier than all that.
    My mobile ap is a game, try to find the cat.
    And remember if the zombies come, hide yer brainz beneath yer hat.
    BTW autoclick gets a penny, refs might get a dime,
    I'll just take some mescal, perhaps some salt and slice of lime,
    now pour that in the power supply...hit the hard drive with a hammer.
    Now mother hubbards all bent over, go ahead and ram 'er.

    Obviously somebody is attempting to forge my posts....yeah, that oughta woik.
    Ok, I'm 1027 to the speakeasy, ya'll stay loose,
    And take it easy.
    Take it easy?
    Hell, at this point in the game I'll take it any way I can get it.
    Bye Bye, Buy bonds, and bicycle.
    Bisexual? Dood, I ain't EVAR had to pay for it.
    Otis Driftwood
    • some much hostility here

      If it were so easy. then your name would have been on the list of these recipients. stop complaining and just make the money that you so rightfully think that you deserve.
      Jason Santana
  • I Win

    Shoot, my Chrome browser is broken right now. So where do I collect my $2 million?
  • Checking once more...

    to see if this will catch or not viagra-test-123
  • me and me

    and me viagra-test-123