Google: full-blown Chrome exploit worth $60,000 – $1Million
Chris Evans and Justin Schuh from Google Chrome Security Team explained the offer to hackers saying ”We have a big learning opportunity when we receive full end-to-end exploits. Not only can we fix the bugs, but by studying the vulnerability and exploit techniques we can enhance our mitigations, automated testing, and sandboxing. This enables us to better protect our users.”
Google has also withdrawn as a sponsor for next month’s Pwn2Own hacking contest. Instead the company will fork out as much as $1 million to those who can exploit Chrome. Google will run its own exploit challenge at CanSecWest security conference.
“We decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits, or even all of the bugs used, to vendors,” said Chris Evans and Justin Schuh. ”Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome.”
Also adding to the money, winners will also receive a Chromebook. ”We will issue multiple rewards per category, up to the $1 million limit, on a first-come-first served basis. There is no splitting of winnings or “winner takes all.” We require each set of exploit bugs to be reliable, fully functional end to end, disjoint, of critical impact, present in the latest versions and genuinely “0-day,” i.e. not known to us or previously shared with third parties. Contestant’s exploits must be submitted to and judged by Google before being submitted anywhere else,” Google explained.