Google promises Chrome hackers $1m in rewards

Posted by Emma Woollacott

Google's offering $1 million in bounty payments to hackers managing to come up with a fully-functional exploit of Chrome.

The company may not be expecting to pay out. Over the last six years, Pwn2Own contestants at the CanSecWest conference have cracked both Internet Explorer and Safari, while Chrome has remained intact.

This year, however, Google's going it alone with its hacking prize, having decided to pull out of the Pwn2Own contest. It's unhappy that contestants are allowed to enter the competition without having to reveal full exploits to vendors - or even all of the bugs used.

"The aim of our sponsorship is simple: we have a big learning opportunity when we receive full end-to-end exploits. Not only can we fix the bugs, but by studying the vulnerability and exploit techniques we can enhance our mitigations, automated testing, and sandboxing. This enables us to better protect our users," say Chris Evans and Justin Schuh of the Chrome Security Team on a company blog.

"While we’re proud of Chrome’s leading track record in past competitions, the fact is that not receiving exploits means that it’s harder to learn and improve."

The $1 million will be broken down into different amounts, depending on the extent of the exploit. There's $60,000  for a full Chrome exploit - achieving user account persistence using only bugs in the browser itself.

A partial exploit, using at least one bug in Chrome itself, will net its creator $40,000, while there's a consolation prize of $20,000 for exploits that don't actually rely on bugs in Chrome - for example, bugs in one or more of Flash, Windows or a driver.

"We will issue multiple rewards per category, up to the $1 million limit, on a first-come-first served basis. There is no splitting of winnings or 'winner takes all'," say Evans and Schuh.

"We require each set of exploit bugs to be reliable, fully functional end to end, disjoint, of critical impact, present in the latest versions and genuinely '0-day', ie not known to us or previously shared with third parties."