October 30, 2014

Google ups bounties for finding vulnerabilities in Chrome and offers over $2 million in prize money for Pwnium 2

(LiveHacking.Com) – Many people have benefited from Google’s Chrome Vulnerability Rewards Program which was created to reward security researchers who invest their time and effort in helping find security vulnerabilities in Chrome and its open source counterpart Chromium. Not only do Google get a securer browser, not only do users get a safer web experience but browers like Safari benefit as it is built on the same WebKit rendering engine.

Google, which has paid out over $1 million dollars in rewards, has recently made two big announcements with regards to the rewards it is offering researchers. First, three new $1000 rewards have been announced which will be added to the base reward for finding vulnerabilities that are at least particularly exploitable, for bugs in stable areas of the code base and for serious bugs which impact a significantly wider range of products than just Chrome (e.g. open source libraries).

Google has also announced that it will host a second Pwnium competition. Pwnium 2 will be held on Oct 10th, 2012 at the Hack In The Box 10 year anniversary conference in Kuala Lumpur, Malaysia. The prize money up for grabs totals $2 million:

  • $60,000: ‘Full Chrome exploit': Chrome / Win7 local OS user account persistence using only bugs in Chrome itself.
  • $50,000: ‘Partial Chrome exploit': Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows kernel bug.
  • $40,000: ‘Non-Chrome exploit': Flash / Windows / other. Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver.
  • $Panel decision: ‘Incomplete exploit': An exploit that is not reliable, or an incomplete exploit chain. For example, code execution inside the sandbox but no sandbox escape; or a working sandbox escape in isolation.

“For Pwnium 2, we want to reward people who get ‘part way’ as we could definitely learn from this work. Our rewards panel will judge any such works as generously as we can,” wrote  Chris Evans, a software engineer at Google.

Google Closes 16 Holes in Chrome and Pays Over $14,000 in Rewards

Chrome LogoGoogle has released Chrome version 8.0.552.237 which fixes 16 vulnerabilities in the increasingly popular web browser. Many of the vulnerabilities where found by people outside of the Chrome development team and Google has rewarded their efforts with dollars.

Under the Vulnerability Rewards Program security researchers, who invest their time and effort in helping to make Chrome (and Chromium) more secure, are rewarded with monetary awards and public recognition. There is even a Hall of Fame.

For the latest update the star of the show was Sergey Glazunov who received $3133.7 for finding critical vulnerabilities. Sergey also found several other problems and in total collected $7,470.7 for his efforts. Other developers were rewarded for eight further vulnerabilities and in total Google paid out a over $14,000.

Google also updated Chrome OS to version 8.0.552.334, applying the same security fixes.