Google offers $20K bounty for successfully hacking Chrome

Pwn2Own, the annual hacking contest, is due to kick off in Vancouver on March 9th and Google are looking to make things interesting by offering $20,000 anyone able to successfully hack their browser. That's $5,000 more than is being offered by the other browsers due to go through their paces at the event.

Researchers will pit exploits against machines running either Windows 7 or Mac OS X as they try to bring down Microsoft's Internet Explorer, Mozilla's Firefox, Apple's Safari and Chrome.

The first researchers to hack IE, Firefox and Safari will receive $15,000 and the laptop running the browser. The prizes are $5,000 more than those given for exploiting browsers at the last Pwn2Own contest, and three times more than the 2009 awards.

"We've upped the ante this time around and the total cash pool allotted for prizes has risen to a whopping $125,000," said Aaron Portnoy, the manager of HP TippingPoint's security research team.

Google is only one of four vendors to put money in the prize kitty. "Kudos to the Google security team for taking the initiative to approach us on this," Portnoy said.

However, the rules are slightly different for Chrome. On day 1, Google will offer $20,000 and the laptop if a contestant can pop the browser and escape the sandbox using vulnerabilities purely present in Google-written code. If competitors are unsuccessful, on day 2 and 3 the ZDI will offer $10,000 USD for a sandbox escape in non-Google code and Google will offer $10,000 USD for the Chrome bug.

Charlie Miller, the only researcher to have won Pwn2Own prizes three years in a row, wouldn't commit last week to trying again, but on Wednesday he noticed the $20,000 for Chrome.

"Pwn2own now offering 20k for attack on Chrome," said Miller on Twitter. "Must be hard, glad Mac OS X doesn't sandbox their browser."

Miller is a Mac hacking authority -- he co-authored The Mac Hacker's Handbook with Dino Dai Zovi, a 2007 Pwn2Own winner -- and has exploited Safari each of the last three years.

Thanks to A Geek Of All for the tip.

Previous Story
Dating website imports 250,000 unwitting Facebook accounts
Next Story
Hotmail now allows aliases to help you secure your email account