Google offers up to US$2 million to break Chrome

Google has upped the ante on its competition to break Google Chrome, increasing the total prize pool to US$2 million.

On the back of increasing the bounties for its vulnerabilities rewards program , Google has announced that it will double the kitty for its Google Chrome hacking competition.

Google previously placed Chrome in the firing line at Pwn2Own last year, when it offered US$20,000 to anyone who could break it, but no one stepped up to accept the challenge. Earlier this year, it split off from Pwn2Own with its own bug-hunting competition, called Pwnium, and increased the top reward — for breaking Chrome using Chrome-specific code — to US$60,000. As part of the competition, Google set aside US$1 million in total rewards for anyone who wanted to submit multiple exploits.

Now organising its second Pwnium early to give hackers more notice, Google has raised the total kitty to US$2 million, and increased some of the rewards for exploits.

The top reward still remains at US$60,000, but hackers who are able to break Chrome using non-Chome-specific code or exploits, such as a Windows kernel bug as a springboard, will be rewarded with US$50,000. Previously, this prize was worth US$40,000.

Additionally, exploits directly unrelated to Chrome can be submitted, and are eligible for US$40,000 in rewards. Previously, these were only worth US$20,000. This also means that hackers who find non-Google bugs can still be rewarded for their efforts, even if the owner of the code that they are exploiting has decided not to offer bounties, such as Microsoft.

Lastly, Google is offering to-be-determined rewards for partial exploits, or those that can't be immediately used. Such examples include exploits that work within Chrome's sandbox, but aren't considered an immediate threat because they don't break the sandbox. Google's judging panel will come to a decision on how much these incomplete exploits are worth.

Hackers will be required to demonstrate their exploits on the latest stable release of Chrome, running on a patched fully Acer Aspire V5-571-6869 laptop. The hacker responsible for the best entry will also get to keep the laptop.

The other, more important aspect of the competition is that the exploits must be documented. This ensures that Google is able to patch Chrome's vulnerabilities and/or alert other vendors that are affected. In the last Pwnium, the two winning entries were both blocked within 24 hours of being demonstrated, and later shared on the Chromium Blog so that anyone could learn from Google's mistakes.

Show Comments