msgbartop
All about Google Chrome & Google Chrome OS
msgbarbottom

02 Mar 12 Pwn2Own Host Responds to Google’s Departure


The host of Pwn2Own has responded to Google’s decision to pull out of the 2012 competition and offer its own cash prizes for Chrome hacks.

Google recently offered up to $1 million in prize money at CanSecWest for those who could exploit the Chrome web browser using all-Chrome bugs or a combo of OS and Chrome bugs. Google also offers cash for participants who uncover exploits that could endanger web browsing altogether, not just with Google’s browser. The company said the competition is separate from Pwn2Own, the latter of which Google decided not to sponsor this year.

“Originally, our plan was to sponsor as part of this year’s Pwn2Own competition,” the Google Chrome Security team said on Monday. “Unfortunately, we decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits (or even all of the bugs used!) to vendors. Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome.”

After we posted the news article, HP DVlabs, the company hosting the Pwn2Own contest, said there’s been some confusion created by Google’s decision to create its own event versus sponsoring HP DVlabs’ Pwn2Own competition. The company also responded to Google’s claim about contestants not having to reveal full exploits to vendors.

“Affected vendors always receive full details for vulnerabilities discovered during the Pwn2Own contest – this is a key benefit for the vendor community,” the company told Tom’s. “HP DVLabs analyzes each vulnerability it receives to determine the root problem, severity of the vulnerability, and its susceptibility to attack to help vendors assess the risks and deal with mitigating them.”

Pwn2Own contestants will have access to a total “purse” of $105,000 this year, spread over three prizes for vulnerabilities discovered in Firefox, Internet Explorer, Safari and Chrome. HP DVlabs says that Google’s withdrawal only removes the additional $20,000 they had offered up for vulnerabilities in its Chrome browser.

“While Google has opted to go it alone to run its own security contest, HP doesn’t necessarily see Google’s move as undermining the Pwn2Own 2012 event,” the company said. “Very few vendors have the expertise, time, or capital to manage security analysis of the type that [parent company] HP TippingPoint does at Pwn2Own and as part of ZDI.Vulnerabilities are increasing in complexity and until vendors significantly invest in creating a thriving security research team within their own organization, they will rely on contests like Pwn2Own that can cut through the clutter and identify vulnerabilities based on risk.”

HP DVLabs has successfully hosted the Pwn2Own contest through the Zero Day Initiative (ZDI) since 2009, and will continue as planned during the conference next week, the company said.

Article source: http://www.tomsguide.com/us/Google-Chrome-Pwn2Own-Hacking-HP-DVlabs,news-14331.html

Tags: , , ,

29 Feb 12 Hack Google’s Chrome Browser, Get Up to $60000 USD


Google is offering up to $1 million in prizes for successfully hacking the Chrome web browser.

On Monday Google said it is now shelling out up to $1 million worth of rewards for anyone who can crack open its Chrome web browser.

According to Chris Evans and Justin Schuh of the Google Chrome Security Team, the biggest cash prize of $60,000 will go to those who discover a “full Chrome exploit” using bugs found only within Chrome itself. $40,000 will be awarded to those who perform a partial Chrome exploit using at least one Chrome bug plus other OS bugs (a WebKit bug combined with a Windows sandbox bug, for example).

“Originally, our plan was to sponsor as part of this year’s Pwn2Own competition,” the Google Chrome Security team said on Monday. “Unfortunately, we decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits (or even all of the bugs used!) to vendors. Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome.”

Thus, Google is now offering rewards for hacking its web browser outside the Pwn2Own competition. In addition to the Full Chrome Exploit and Partial Chrome Exploit categories, Google will also offer $20,000 to those who fall under the “Consolation reward, Flash / Windows / other” category, or rather, those who discover bugs that could threaten users in any browser including bugs in one or more of Flash, Windows or a device driver.

The team said Google is offering consolation prizes because these findings help propel the company’s overall mission to make the entire web safer to crawl no matter what browser is used.

“We will issue multiple rewards per category, up to the $1 million limit, on a first-come-first served basis,” the blog reads. “There is no splitting of winnings or ‘winner takes all.’ We require each set of exploit bugs to be reliable, fully functional end to end, disjoint, of critical impact, present in the latest versions and genuinely ’0-day,’ i.e. not known to us or previously shared with third parties. Contestant’s exploits must be submitted to and judged by Google before being submitted anywhere else.”

All winners will also receive a Chromebook, the team said.

Article source: http://www.tomshardware.com/news/Google-Chrome-Exploit-Chris-Evans-Justin-Schuh,14840.html

Tags: , ,