Google Chrome Pwn2Own Challenge: Hack Chrome, Make a Million

Image Courtesy: Wikimedia Commons

Can you hack? Would you take down Google Chrome — and Firefox, Safari or Internet Explorer? There’s up to a million dollars in it for you if you just focus on Chrome, but cash prizes all around, Google execs announced in a blog post today.

At next week’s CanSecWest security convention in Vancouver, Google will for the fourth year sponsor the annual Pwn2Own contest. But this year it is taking no prisoners, Google Chrome security engineers said.

According to Google, if you show you are able to exploit flaws in just Google Chrome — and share all the exploit details, no-holds barred — prizes start at 60K and continue all the way to the seven-figure limit.

In its revamped challenge, in other words, Google wants you to rip Chrome up — for all the world to see — in order to identify potential security flaws. Its contest is tougher than previous years, where hackers weren’t required to share all the details. Hewlett-Packard, which owns the Zero Day Initiative that officially runs Pwn2Own, doesn’t require such openness. You will win cash prizes for exposing other flaws in other browsers and plug-ins, like Flash, but the alternative Chrome-only contest is the money.

Chris Evans and Justin Schuh, Google security engineers, explain why it is willing to pay more this year — in exchange for a lot more detail — in a blog post published in Monday evening Pacific. The full text of their post is below.

Will you try it? Let us know. Ready, set, hack. There’s money in it for you, a Chromebook and, if history is any guide, probably a big job in it for you, too. Full details below — and more here at the Chromium blog.

Here’s the post in excerpt:

This year at the CanSecWest security conference, we will once again sponsor rewards for Google Chrome exploits. This complements and extends our Chromium Security Rewards program by recognizing that developing a fully functional exploit is significantly more work than finding and reporting a potential security bug.

The aim of our sponsorship is simple: we have a big learning opportunity when we receive full end-to-end exploits. Not only can we fix the bugs, but by studying the vulnerability and exploit techniques we can enhance our mitigations, automated testing, and sandboxing. This enables us to better protect our users.

While we’re proud of Chrome’s leading track record in past competitions, the fact is that not receiving exploits means that it’s harder to learn and improve. To maximize our chances of receiving exploits this year, we’ve upped the ante. We will directly sponsor up to $1 million worth of rewards in the following categories:

$60,000 – “Full Chrome exploit”: Chrome / Win7 local OS user account persistence using only bugs in Chrome itself.

$40,000 – “Partial Chrome exploit”: Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows sandbox bug.

$20,000 – “Consolation reward, Flash / Windows / other”: Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver. These exploits are not specific to Chrome and will be a threat to users of any web browser. Although not specifically Chrome’s issue, we’ve decided to offer consolation prizes because these findings still help us toward our mission of making the entire web safer.

All winners will also receive a Chromebook.

We will issue multiple rewards per category, up to the $1 million limit, on a first-come-first served basis. There is no splitting of winnings or “winner takes all.” We require each set of exploit bugs to be reliable, fully functional end to end, disjoint, of critical impact, present in the latest versions and genuinely “0-day,” i.e. not known to us or previously shared with third parties. Contestant’s exploits must be submitted to and judged by Google before being submitted anywhere else.

Originally, our plan was to sponsor as part of this year’s Pwn2Own competition. Unfortunately, we decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits (or even all of the bugs used!) to vendors. Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome. We will therefore be running this alternative Chrome-specific reward program. It is designed to be attractive — not least because it stays aligned with user safety by requiring the full exploit to be submitted to us. We guarantee to send non-Chrome bugs to the appropriate vendor immediately.

Drop by our table at CanSecWest to participate and check the latest news.

Posted by Chris Evans and Justin Schuh, Google Chrome Security Team

Thanks for visiting.