Google announced on Monday that it would pay $1 million in cash awards to anyone who can hack its Chrome browser during its Pwnium security challenge next week in Vancouver at the CanSecWest conference.
Google has pledged to pay multiple awards in the amounts of $60,000, $40,000 and $20,000, depending on the severity of the exploits, up to $1 million. Winners will also receive a Chromebook.
“We require each set of exploit bugs to be reliable, fully functional end to end, disjoint, of critical impact, present in the latest versions and genuinely ’0-day,’ i.e. not known to us or previously shared with third parties,” Google wrote on its blog.
The exploits must work against Windows 7 machines running the Chrome browser.
$60,000 – “Full Chrome exploit”: Chrome / Win7 local OS user account persistence using only bugs in Chrome itself.
$40,000 – “Partial Chrome exploit”: Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows sandbox bug.
$20,000 – “Consolation reward, Flash / Windows / other”: Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver. These exploits are not specific to Chrome and will be a threat to users of any web browser. Although not specifically Chrome’s issue, we’ve decided to offer consolation prizes because these findings still help us toward our mission of making the entire web safer.
Google’s hack challenge will run alongside the $15,000 Pwn2Own contest that runs each year at CanSecWest, which challenges researchers to exploit vulnerabilities in fully patched browsers and other software.
Last year, Google offered a $20,000 bounty, on top of the base $15,000 Pwn2Own prize, for anyone who successfully downed Chrome, but there were no takers. Chrome is currently the only browser eligible for the Pwn2Own contest that has never been brought down, Ars Technica notes. Contestants have indicated that difficulties bypassing Google’s security sandbox is the reason they’ve avoided the browser and focused on Internet Explorer and Safari.