Google's hacker challenge: Confidence or chutzpah?
Company offers $20K for skilled hack of Chrome at Pwn2Own 2011
- By Chris Paoli
- Feb 08, 2011
Note: This story was updated at 12:45 p.m., Feb. 9.
Google is looking to reward those who can find a vulnerability in its Chrome browser.
Software companies tend to dissuade users from finding and broadcasting exploits, but Google will pay $20,000 for a skilled hack at the Pwn2Own 2011 event, being held March 9-11. Organized by security software company TippingPoint, Pwn2Own is an annual computer hacking contest held during the CanSecWest security conference in Vancouver, BC.
Cash prizes for hacks have been offered in the past by TippingPoint, but this year marks a first for third-party sponsorship -- namely by Google.
"Kudos to the Google security team for taking the initiative to approach us on this; we're always in favor of rewarding security researchers for the work they too-often do for free," wrote Aaron Portnoy, manager of the security research team at TippingPoint, in a released statement.
Google may be feeling somewhat confident in putting up the money. Last year, its Chrome browser was the only browser to withstand hackers' attempts to find vulnerabilities. Internet Explorer, Firefox and Safari were not so lucky.
To be considered a successful vulnerability discovery, hackers must compromise the browser using a sandbox escape (only exploiting Google-generated code in its browser) on a Windows 7 machine. Along with the $20,000 prize, the company will also award the winner its first version of the Google Chrome OS laptop, the CR-48.
All told, including Google's prize money, Pwn2Own organizers will be offering a total of $125,000 in prize money to those who can find flaws in the aforementioned Web browsers, as well as holes in the following mobile phone OSes: Windows Phone 7, Apple iOS, BlackBerry 6 OS and Google Android OS.
Hackers will have strict requirements in discovering a vulnerability in the mobile phone OSes.
"A successful attack against these devices must require little to no user interaction and must compromise useful data from the phone," Portnoy wrote. "Any attack that can incur cost upon the owner of the device (such as silently calling long-distance numbers, eavesdropping on conversations, and so forth) is within scope."
The Pwn2Own conference was not even going to invite the Chrome browser this year after it was not hacked in 2010, despite a $10,000 bounty on it, according to TechCrunch. But Google stepped forward as a sponsor of the event with the $20,000 reward for a sophisticated hack of Chrome.
Google, an engineer and open-source advocate, has a history of paying developers, researchers and hackers who find bugs in their code. The Chromium developer project that has produced both the Chrome Browser and the Chrome operating system offers rewards of varying sizes, with the most common being $1,337, a number associated with a version of Chrome.
From the Chromium blog: "As per Mozilla, our base reward for eligible bugs is $500. If the panel finds a particular bug particularly severe or particularly clever, we envisage rewards of $1337. The panel may also decide a single report actually constitutes multiple bugs. As a consumer of the Chromium open source project, Google will be sponsoring the rewards."
A lot of open-source developers encourage users and hackers to find bugs in their programming code. For instance, Mozilla, the maker of the Firefox browser, has a Bug Bounty Program that pays modest sums to people who find bugs in Mozilla software.
For more information on Pwn2Own and the CanSecWest 2011 convention, click here.
Dan Rowinski contributed to this story.
Chris Paoli is the associate Web editor for 1105 Enterprise Computing Group's Web sites, including Redmondmag.com, RCPmag.com, ADTmag.com and VirtualizationReview.com.