Google raises ante for next Chrome hacking contest to $2M

That's double the maximum of March's first Pwnium

Google yesterday said it will pay up to $2 million for major vulnerabilities in its Chrome browser at a second Pwnium hacking contest this fall.

Pwn2Own, a rival contest sponsored by Hewlett-Packard, will award as much as $200,000 in a mobile-specific challenge slated to run several weeks earlier.

Google's Pwnium 2 will take place at the Hack In The Box security conference on Oct. 10 in Kuala Lumpur, Malaysia.

Like the inaugural Pwnium, which Google sponsored in March at the CanSecWest conference in Vancouver, British Columbia, the upcoming challenge will pit researchers against the then-current version of Chrome. Vulnerability and exploit experts who demonstrate exploits of previously-unknown bugs will be eligible for awards of up to $60,000 for each flaw.

For what Google calls a "full Chrome exploit" -- one that successfully hacks Chrome on Windows 7 using only vulnerabilities in Chrome itself -- Google will pay $60,000 -- the same amount it handed out at the first Pwnium.

A partial exploit that uses one bug within Chrome and one or more others -- perhaps in Windows -- will earn a researcher $50,000, a 25% increase over the same category in the CanSecWest contest. Finally, Google will pay $40,000 for any "non-Chrome" exploit that doesn't involve the browser, but reveals a flaw in, for example, Windows or Adobe's Flash Player -- which is bundled with Chrome.

Google also added a new class of awards for incomplete exploits. "We want to reward people who get 'part way' as we could definitely learn from this work," Chris Evans, a software engineer on the Chrome security team, said in a Wednesday post to Google's Chromium Blog. "Our rewards panel will judge any such works as generously as we can."

The company committed up to $2 million total to Pwnium 2, twice the maximum it risked for the original. It's unlikely it will end up paying anywhere near $2 million; in March, it wrote checks totaling $120,000, or 12% of the $1 million limit.

To claim any award except in the "incomplete" category, researchers must not only pinpoint the vulnerability but also provide working exploit code to Google.

Evans repeated what Google had said earlier, that the original Pwn2Own was a success. "We were able to make Chromium significantly stronger based on what we learned," he said, referring to the name of the open-source project run by Google that then feeds code into Chrome itself

Both researchers who won $60,000 prizes at the March event -- Sergey Glazunov and someone identified only as "PinkiePie" -- also took home the Pwnie Award last month in the "Best Client-Side Bug" category for their Chrome work.

Another hacking contest will take place several weeks before Pwnium 2.

HP's TippingPoint will run a mobile-only version of its annual Pwn2Own in Amsterdam Sept. 19-20 at the EUSecWest security conference, where hackers will face off against Apple, Nokia, RIM and Samsung smartphones.

TippingPoint's Zero Day Initiative bug-buying program will host the event, with help from sponsors AT&T and RIM, the struggling maker of the BlackBerry. Prizes total $200,000, a record for Pwn2Own, with the top-dollar award of $100,000 going to the first researcher who demonstrates a hack of cellular baseband, the silicon inside mobile phones that connects them to carrier networks.

Other rewards will be handed out to the first to hack NFC (near field communication), the communications protocol being promoted for mobile payments, and SMS (short message service), the text-messaging service.

More information about the September Pwn2Own challenge can be found on TippingPoint's website.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place