Andre Yoskowitz
28 Feb 2012 14:17
Google has put $1 million on the line if security researchers or hackers can exploit their popular Chrome browser.
The company has also pulled out of the annual Pwn2Own contest, where they were regular sponsors. Google says there were changes in the rules by contest organizer Zero Day Initiative (ZDI) which they did not approve of: "We decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits, or even all of the bugs used, to vendors. Full exploits have been handed over in previous years, but it's an explicit non-requirement in this year's contest, and that's worrisome."
Chrome is a "sandboxed" system which normally means any hack of the browser requires multiple exploits, and Chrome has remained untouched for years while other browsers like Internet Explorer, Firefox and Safari normally last just a few hours during the contest.
For the new $1 million prize, hackers will need to perform a "full Chrome exploit" which exploits Chrome on Windows 7 using only vulnerabilities in Chrome itself. That alone will bring $60,000 and every other partial exploit that uses one bug will earn $40,000. Additionally, Google will pay $20,000 for "consolation" exploits that "hack Chrome without using any vulnerabilities in the browser itself."
Concludes Google: "We will issue multiple rewards per category, up to the $1 million limit, on a first-come-first served basis."