Security is a top priority for every organization; Google is no exception. On Monday the company announced that it’s put aside US$1 Million in bug-bounty prizes -- that’s £625,000 in old money. It’s happening next week, at the CanSecWest conference, in the Canadian city of Vancouver, running in parallel with HP TippingPoint’s similar Pwn2Own contest. Taking its name from the open-source version of Chrome -- Chromium -- Google calls its bug-finding programme Pwnium.
According to Chris Evans and Justin Schuh, from the Google Chrome Security Team, there’ll be $60,000 for every “Full Chrome Exploit,” $40,000 for every “Partial Chrome Exploit” and a consolation prize of $20,000 for other exploits that will help make “the entire web safer.” In case of a flood of clever security researchers,
Google is limiting its exposure with the $1 million pot; judges will award prizes on a first-come-first served basis. This amount adds to the more than US$300,000 that the company reportedly issued in rewards for the past two years.
However, if it sounds like easy money, think again: Chrome is the only browser that’s never been exploited as Ars Technica reports. According to the same report one of the reasons why Google's browser has never been exploited is Google’s security sandbox.
Google isn’t alone in this effort. Companies like Microsoft, Apple and Amazon often use the white-hat hacker community to improve their code and to learn more about how security experts interact with their products. Public competitions like Pwn2Own are only the tip of the iceberg, thanks to the sensitive nature of the subject.
Holding competitions for security experts to exploit your systems is something that should be considered by any organization. How about yours?
The Pwn2Own contest is organized by the Zero Day Initiative team at HP TippingPoint. Its track record is impressive: since 2007 the competition has disclosed exploitable vulnerabilities in Firefox, Flash, Internet Explorer, Safari, and Mobile Safari browsers, not to mention Android, BlackBerry OS, iOS, and Symbian.
This year there will be four targets: the most popular browsers on the market, running on the latest, fully patched version of either Windows 7 or Mac OS X Lion.
For some reason though, mobile platforms don’t seem to be targeted this year -- so apparently no testing of Android, iOS, palmOS, or Windows Phone. However, when I asked the Pwn2Own organisers why, their cryptic reply was, “There will be an update on that point sometime soon.” Make of that what you will.
This year's rules have also changed, according to the organizers of the competition in an effort to make the contest “less like a lottery” and more “fair for the contestants.” This year’s contest will be point-based and the winners will be the top three scorers at the end of the final day. Anyone who can show a working zero-day exploit will be awarded 32 points. The first to write and demonstrate an exploit for one of two pre-announced vulnerabilities will be awarded points based on how long it takes them.
HP will donate up to $105,000 in cash prizes for the event. This promises to attract a lot of attention from IT security professionals and others. You can follow the official competition account, @Pwn2Own_Contest on Twitter and monitor the #pwn2own and #pwnium hashtags during the event, for your vicarious security pleasure.