Google and its Chrome bounty hunters

Google is offering cash prizes totaling $US1 million to hackers, plus a Chromebook, for those who successfully exploit its Chrome browser at the CanSecWest security conference next week.

According to a blog posting put up by the company's security team on Monday, winnings from the so-called Pwnium contest will be meted out according to the following exploit severity:

$US60,000 — "Full Chrome exploit": Chrome/Win7 local OS user account persistence using only bugs in Chrome itself.

$US40,000— "Partial Chrome exploit": Chrome/Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows sandbox bug.

$US20,000 — "Consolation reward, Flash/Windows/other": Chrome/Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver. These exploits are not specific to Chrome and will be a threat to users of any web browser. Although not specifically Chrome’s issue, we’ve decided to offer consolation prizes because these findings still help us toward our mission of making the entire web safer.

The Chrome-specific contest is a departure for Google.

Since 2009, the company has bared Chrome's neck to contestants of the conference's Pwn2Own competition. In past contests, major browsers — Safari, Internet Explorer and Firefox — have all been pwned.

Chrome is the only browser eligible for Pwn2Own that has never been exploited. Last year, no one even tried.

As noted by Ars Technica, contestants cite the difficulty of bypassing Google's security sandbox for their inability to figure out a successful exploit.

It might make sense for Google's security team to gloat about that, but instead they're smart enough to know how much they can learn from a successful exploit. Here's how Chris Evans and Justin Schuh from the Google Chrome Security Team put it:

The aim of our sponsorship is simple: we have a big learning opportunity when we receive full end-to-end exploits. Not only can we fix the bugs, but by studying the vulnerability and exploit techniques we can enhance our mitigations, automated testing, and sandboxing. This enables us to better protect our users.

In fact, the reason Google's split off from Pwn2Own and set up its own, Chrome-specific hacking contest this year is because of new changes in the Pwn2Own rules — changes that would hamper Google's ability to get their hands on full, successful exploits.

Here's what the security team had to say about the breakaway contest:

We decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits (or even all of the bugs used!) to vendors. Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome. We will therefore be running this alternative Chrome-specific reward program. It is designed to be attractive—not least because it stays aligned with user safety by requiring the full exploit to be submitted to us.

Google will issue multiple rewards per category up to the $US1 million kitty, on a first-come, first-served basis.

The company won't split winnings; nor will there be any "winner takes all."

Google says each set of exploit bugs has to be reliable, fully functional end-to-end, disjoint (i.e., have no element in common), of critical impact, present in the latest versions and genuinely "zero-day" — in other words, they can't have been previously reported or shared with third parties.

Exploits also have to be submitted to Google for judging before being shared anywhere else.

Google is guaranteeing to send non-Chrome bugs to the appropriate vendor immediately.

I say kudos to Google.

They've done a lot of bragging about Chrome's superior security compared to competitors' browsers. The Google-funded, "Google Chrome is the BEST!" study comes to mind.

Pwn2Own has underscored that security. But it wouldn't be smart for the company to rest on its laurels.

If it takes $US1 million to set those laurels on fire, well, burn, baby, burn.

Lisa Vaas is a technology writer for Sophos, see her profile and other articles here

More from Business Spectator