Google offers $20K bounty for successfully hacking Chrome

Pwn2Own, the annual hacking contest, is due to kick off in Vancouver on March 9th and Google are looking to make things interesting by offering $20,000 anyone able to successfully hack their browser. That's $5,000 more than is being offered by the other browsers due to go through their paces at the event.

Researchers will pit exploits against machines running either Windows 7 or Mac OS X as they try to bring down Microsoft's Internet Explorer, Mozilla's Firefox, Apple's Safari and Chrome.

The first researchers to hack IE, Firefox and Safari will receive $15,000 and the laptop running the browser. The prizes are $5,000 more than those given for exploiting browsers at the last Pwn2Own contest, and three times more than the 2009 awards.

"We've upped the ante this time around and the total cash pool allotted for prizes has risen to a whopping $125,000," said Aaron Portnoy, the manager of HP TippingPoint's security research team.

Google is only one of four vendors to put money in the prize kitty. "Kudos to the Google security team for taking the initiative to approach us on this," Portnoy said.

However, the rules are slightly different for Chrome. On day 1, Google will offer $20,000 and the laptop if a contestant can pop the browser and escape the sandbox using vulnerabilities purely present in Google-written code. If competitors are unsuccessful, on day 2 and 3 the ZDI will offer $10,000 USD for a sandbox escape in non-Google code and Google will offer $10,000 USD for the Chrome bug.

Charlie Miller, the only researcher to have won Pwn2Own prizes three years in a row, wouldn't commit last week to trying again, but on Wednesday he noticed the $20,000 for Chrome.

"Pwn2own now offering 20k for attack on Chrome," said Miller on Twitter. "Must be hard, glad Mac OS X doesn't sandbox their browser."

Miller is a Mac hacking authority -- he co-authored The Mac Hacker's Handbook with Dino Dai Zovi, a 2007 Pwn2Own winner -- and has exploited Safari each of the last three years.

Thanks to A Geek Of All for the tip.

Report a problem with article
Previous Story

Dating website imports 250,000 unwitting Facebook accounts

Next Story

Hotmail now allows aliases to help you secure your email account

22 Comments

Commenting is disabled on this article.

Dibbler said,
I guess Opera is way too secure, and thus not hackable, to be included

Or maybe Opera is not important, that hackers don't give a damn on it.

The cash prizes aren't high enough to entice the really good hackers

But hey, it's still a good step and hopefully bugs / exploits will be found and fixed.

/- Razorfold said,
The cash prizes aren't high enough to entice the really good hackers

But hey, it's still a good step and hopefully bugs / exploits will be found and fixed.

in order to exploit a flaw in chrome, you have to find a flaw in chrome first (which should not be that hard considering that webkit is the most flawed engine, according to charlie miller), but you have to find a flaw in the host OS too in order to escape the sandbox. This means you have to find a flaw in google chrome AND a flaw in windows/linux/osx to successfully exploit chrome.

And the value of a privilege escalation flaw in windows/linux is way above 20 000$... so, this is clearly not enough to motivate hackers!

I guess that if it should happen, it will happen on chrome running on osx because ASLR implementation is partial, and good hackers like charlie miller can easily find privilege escalation flaws in osx.

este said,
Where do they get the money for all of this?

...this is google we're talking about...they're not exactly short of money.
I suspect most or it is from advertising and sponsored links on searches.

Hmm, I still wish they offered a better way for people.

"If you can hack chrome, then you'll have a job with us" but I understand not everyone lives near a Google office

Then sack their current 'security' people, job done

Dan~ said,
Hmm, I still wish they offered a better way for people.

"If you can hack chrome, then you'll have a job with us" but I understand not everyone lives near a Google office

Then sack their current 'security' people, job done

LOL