Google has withdrawn its sponsorship of the Pwn2Own contest at this year’s CanWestSec security conference, opting instead to sponsor “Pwnium,” its own competition at CanWestSec for security exploits found in its own Chrome browser. Google is putting its money where its mouth is, offering up to $1 million for viable security exploits found in its Chrome browser. However, to collect the bounty, hackers and/or security researchers have to disclose the full end-to-end details of their flaws. That disclosure is why Google pulled its sponsorship of Pwn2Own: for the first time this year, Pwn2Own is not requiring participants reveal their full exploits.
“We decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits (or even all of the bugs used!) to vendors,” wrote Chris Evans and Justin Schuh of the Google Chrome Security Team. “Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome.”
The Pwn2Own rules don’t say much about diclosure of vulnerabilities, only that any exploits will be reviewed by judges to ensure multiple teams don’t use duplicate exploits. However, in a tweet last month the contest organizers indicated that if a zero-day exploit is not a winner, “the vuln is still theirs and will not be reported.”
However, Google still wants hackers and security researchers to look for (and report) flaws in its Chrome browser—and its offering up to $1 million for those exploits. Instead of participating in Pwn2Own, Google will run its own “Pwnium” contest, offering up to $60,000 for a “full Chrome exploit” that enables attackers to take over a Windows 7 account using only flaws in Chrome: Google will also offer $40,000 prizes for partial Chrome exploits and $20,000 for exploits that use other problems (like Flash or driver bugs). Winners will also receive a Chromebook. Google says it will pay multiple rewards per category up to $1 million on a first-come, first-served basis, but Google has to have first crack at the exploits, and contestants have to disclose full details of their attacks.
Google’s new prizes represent a significant increase: previously, Google had offered $20,000 for “full Chrome exploits” and $10,000 for partial Chrome exploits. Security researchers have noted that those earlier prizes were not enough to be worth researchers’ or hackers’ time. Someone who found a solid exploit in Chrome or another browser could make far more money by selling the attack to malware distributors and other cybercriminals, rather than reporting the problem to Google.
Perhaps as a result, Google’s Chrome has done well at Pwn2Own: in five years, no one has taken home prize money for exploiting Chrome.
The Pwn2Own contest is set up by HP TippingPoint, with the aim of gathering data it can use to beef up its intrusion detection systems. However, Google is more interested in discovering end-to-end flaws and improving the security of its browser. Overall, Google’s decision to stop sponsoring Pwn2Own and offer its own higher bounties for Chrome exploits seems to have been well-received.