For the last three years, Google’s Chrome browser has left the world’s premiere hacking competition unscathed, even as Firefox, Internet Explorer and Safari have all been taken down by the assembled security researchers. So this year, Google is offering hackers a million reasons to re-focus their efforts.
Google announced Monday evening that it’s offering up to a million dollars in rewards at the annual Pwn2Own hacking contest, which takes place next week at the CanSecWest security conference in Vancouver. Hackers don’t necessarily need to target Chrome to win a chunk of that money: Google is paying $20,000 to any participant who can exploit hackable bugs in Windows, Flash, or a device driver, security problems that would affect users of all browsers. But for hacks that include flaws specific to Chrome, Google will pay $40,000 each, and for those that exploit only bugs in Chrome, the company will shell out $60,000, up to its million dollar limit.
In fact, Google’s rewards may end up dwarfing those offered by the contest’s official organizers, the Hewlett-Packard-owned Zero Day Initiative. HP plans to offer $60,000 to the first place winner, $35,000 to the second, and $15,000 to the third place contestant, using a point system to determine those placements.
And why is Google willing to pay seven figures to see its browser taken apart in public? Because, the company explains in a blog post, the annual hacking contest offers a chance to test Chrome’s mettle against some of the world’s most innovative hackers in a setting where any new flaws can be identified and patched. In return for its rewards, Google demands any winning researcher submit the details of the exploited flaws to its security team, a condition that ZDI doesn’t impose on the winning hackers. ”Not only can we fix the bugs, but by studying the vulnerability and exploit techniques we can enhance our mitigations, automated testing, and sandboxing,” Chrome security engineers Chris Evans and Justin Schuh write. “This enables us to better protect our users.”
Pwn2Own isn’t the only time researchers can be paid for digging up security flaws in Chrome. Like other companies including Mozilla and Facebook, Google offers “bug bounties” to researchers, and its flaw-buying program has given out more than $300,000 in payments over the last two years.
Even when Google offered an extra $20,000 to anyone who could hack its browsers last year, no one took up the challenge. That result provides great marketing fodder, but Google says it’s more eager to expose bugs in its code–hence this year’s massive payouts. “While we’re proud of Chrome’s leading track record in past competitions, the fact is that not receiving exploits means that it’s harder to learn and improve,” Evans and Schuh write. “To maximize our chances of receiving exploits this year, we’ve upped the ante.”