Google has cancelled its annual Pwnium hacking contest, saying the shindig was letting vulnerabilities go undisclosed for too long.
For the last four years, Google has staged Pwnium as a one-day event giving hackers and security wonks a chance to earn prize money by finding vulnerabilities in the company's products. Pwnium won't be a physical event from now on; instead, Google's turning it into a rolling bug-hunting program.
"We've received some great entries over the years, but it's time for something bigger. Starting today, Pwnium will change its scope significantly, from a single-day competition held once a year at a security conference to a year round, worldwide opportunity for security researchers," Tim Willis, a 'hacker philanthropist' on the Chrome security team, wrote on Google's security blog on Tuesday.
One of Pwnium's chief attractions for participants was the healthy rewards program it offered for those uncovering exploits - $2.7m was put up for grabs last year. While the format may have changed, the prize pot is still available and Willis said that "it now goes all the way up to $∞ million," adding: "Our lawyercats wouldn't let me say 'never-ending' or 'infinity million' without adding that 'this is an experimental and discretionary rewards program and Google may cancel or modify the program at any time.'"
"Logistically, we'll be adding Pwnium-style bug chains on Chrome OS to the Chrome VRP. This will increase our top reward to $50,000, which will be on offer all year-round," Willis said. VRP is Google's Vulnerability Rewards Program. Launched in 2010, it pays out between $500 and $500,000 when researchers find medium, severe, or critical bugs in the Chrome browser and Chrome OS. Researchers are now being asked to submit bugchains they would have shown off at Pwnium to the VRP.
According to Google, the changes to Pwnium were brought in to prevent security researchers from keeping the vulnerabilities they unearthed to themselves.
"If a security researcher was to discover a Pwnium-quality bug chain today, it's highly likely that they would wait until the contest to report it to get a cash reward. This is a bad scenario for all parties. It's bad for us because the bug doesn't get fixed immediately and our users are left at risk," Willis wrote, adding that where vulnerabilities are not disclosed, two researchers may end up unknowingly duplicating work.
A year-round program will also mean more researchers can get involved and won't need to attend a particular event - previous Pwniums have been staged in locations including Kuala Lumpur and Vancouver - to do so.
Read more on Pwnium