Google to offer up $3.14159 million if you can crack Chrome OS

Google quite frequently offers up cash to those who can find security holes in its software, and if you are headed to Pwnium this year, you can walk away with a serious amount of cash.

Google is offering up $3.14159 million to anyone able to hack the Chrome OS. Now, they will not be giving this amount to one individual but will be offering up a piece of that Pi to anyone who can find and exploit a flaw in Chrome OS via a web page.

Google will be giving out $110,000 for each temporary compromise or $150,000 for each compromise that is able to survive a reboot of the machine. One stipulation is that the flaw must be executed on a Samsung 550 Chromebook that is using a WiFi connection

For Google, while this may sound expensive, it's actually a cheap way to have someone else do your security work and find holes before they are uncovered in the wild and executed. While this is not a lazy approach as Google has a security team working on the OS, no single entity is perfect. By crowdsourcing its security efforts alongside its internal procedures, it helps to make the OS more secure which is a benefit to the end user.

The Pwnium contest will take place in Vancouver in March

Source: Yahoo

Report a problem with article
Previous Story

Next gen Xbox GPU specs reportedly leak

Next Story

Microsoft's Windows business lead on Windows 8 sales: "It's a solid start" [Update]

44 Comments

Commenting is disabled on this article.

If the money is right, people will try. 3mil is a lot of money.

read the article.
it is "only" $150k for an exploit that would have to exploit a flaw in the browser, exploit a flaw in the sandbox, and exploit another flaw to persist after restart.

that's a lot of work for a team of skilled hackers. Several months of work with no guarantee of success.

even attacking Windows RT with a browser flaw has never been done before, despite the fact that it is similar to Windows x86.

You said yourself, that Chrome OS has been out for 2yrs or so. Considering that, there is plenty of time for hackers to fool around with Chrome OS and find a way to crack it. Hackers are not going to wait for Google to announce a payment and I am sure someone has been messing with Chrome already. Just like every year when the contest between Windows/iOS/Linux comes out...some take days to crack (if at all) and some take 10 minutes. And these systems are updated with the latest patches/security fixes before the contest.

two years of existence, and still 0.0x% of market share.
I don't think there are many skilled hackers wasting their time on it when they can earn a lot of money with other platforms.

btw, at hacking contests, when someone hacks a system in 5 minutes, that's because he had the exploit code ready before coming to the contest.
it takes rather 5 months than 5 minutes to identify a 0day flaw, and develop an exploit that can bypass ASLR, DEP and the browser sandbox.

Thats great an all, but what happens when a rogue website dev says, "hey hacker, I'll give you 200k for the exploit if you don't disclose it to google"

Some random hacker is really going to offer $200k for an exploit... on a system that barely has any marketshare... read: Targets... read: chance to make investment back?

I doubt you'd get 200k for a Windows/iPhone/Android zero day... although It'd be nice to know how much a zero-day actually does go for.

Kalint said,
How cool would that be if Google gave them actual pie instead!

Anyone who cracks any code, never gets pie.

Choto Cheeta said,
Where can i download the chrome os and can I install it in my PC

Where can I download and install OSX or Windows 8 RT to install in my PC ?

And after you've hacked the OS, you can do things like... like...
.... brb, looking up what you can do on Chrome OS


But it says there are 1000s of apps! Of course, when there are only 150,000 on the Windows Phone app store (released October 2010) and over 40,000 for the Win8 store (released October 2012). And we know how bad those app stores are - people here on Neowin like to tell us all the time. But Chrome OS has 1000s since Nov. 2009. Yep, the Windows Phone and Windows8 ecosystems, they are bad and you cannot do anything with those devices. But Chrome, you can do anything you want and it will revolutionize the world.

Oh, and I love how WinRT is supposedly confusing to people, but naming your web browser (the thing that runs on PCs) Chrome, naming your OS for a limited number of devices Chrome, and naming the computers Chromebook and Chromebox - that is in no way confusing and people will immediately know the differences.

techbeck said,

This is about cracking Chrome OS. This is not about Windows and what people think about it.

You linked to a web site showing what Chrome OS can do. Not a link about cracking Chrome OS. But then, it is fine for you to go off script, but anyone else, no, no, no, can't do that.

nohone said,

You linked to a web site showing what Chrome OS can do. Not a link about cracking Chrome OS. But then, it is fine for you to go off script, but anyone else, no, no, no, can't do that.

I was responding to someone who said he was going ot look at what Chrome OS can do. So I provided him with a link. So I am staying on topic and discussing Chrome OS.

We all know your distaste towards Google and a lot of Google threads, you have to bring Windows in to it. Again, this thread is NOT about Windows and what people think about it. It is about Chrome...period.

techbeck said,

I was responding to someone who said he was going ot look at what Chrome OS can do. So I provided him with a link. So I am staying on topic and discussing Chrome OS.

(and thank you for the link)

What I've heard of Chrome OS so far seems to focus on how it is a limited OS. However, it's also based on Linux. I was just curious to know if the OS is best described as "Chrome browser running on Linux" (in which case, gaining access to Linux underneath is a huge deal) or "Chrome browser is a custom OS" (in which case, the OS as a whole will never be as capable as Linux, and running remote code is not a huge deal)

techbeck said,

I was responding to someone who said he was going ot look at what Chrome OS can do. So I provided him with a link. So I am staying on topic and discussing Chrome OS.

We all know your distaste towards Google and a lot of Google threads, you have to bring Windows in to it. Again, this thread is NOT about Windows and what people think about it. It is about Chrome...period.

The funny thing is a few days ago someone wrote a comment that was completely off topic trying to attack Surface, so did more or less what you did - say that it was off topic and we should not be going off topic, just to see what the reaction was. Of course, I was attacked because it was perfectly fine, because a comparison was being made and comparisons are perfectly fine.

billyea was not talking about going to look at what Chrome OS could do, he was poking fun at it. But since you were providing a link to advertise Chrome, even though it was not about hacking Chrome, you decided it was on topic and is perfectly fine for you to post. Once again, deciding what the rules are, and bending them to make sure that Chrome is portrayed in the best light, and then bringing out the hater card to make sure you reinforce the point.

nohone said,

billyea was not talking about going to look at what Chrome OS could do, he was poking fun at it.

Yet he just thanked me for the link and provided an on topic reply.

Ive said what I wanted to say...have a good one.

billyea said,

(and thank you for the link)

What I've heard of Chrome OS so far seems to focus on how it is a limited OS. However, it's also based on Linux. I was just curious to know if the OS is best described as "Chrome browser running on Linux" (in which case, gaining access to Linux underneath is a huge deal) or "Chrome browser is a custom OS" (in which case, the OS as a whole will never be as capable as Linux, and running remote code is not a huge deal)

It is limited and is intended to be limited. It even has an offline mode so you can still work on documents/files while offline and not connected to the network.

techbeck said,

Yet he just thanked me for the link and provided an on topic reply.

Ive said what I wanted to say...have a good one.

And what I was doing was comparing one of the big bullet points in from that link, that they have 1000s of apps in their store, and then making a comparison based upon that. But what I wrote was not a positive for Google, using the same arguments people who use Google's Android make against the competition, so it needs to be shut down and not talked about.

nohone said,

And what I was doing was comparing one of the big bullet points in from that link, that they have 1000s of apps in their store, and then making a comparison based upon that. But what I wrote was not a positive for Google, using the same arguments people who use Google's Android make against the competition, so it needs to be shut down and not talked about.

Yes and that was off-topic.

He was discussing how a hack would have implications on the OS, you were crying over a perceived bias, first comment was on-topic, your comment was off-topic.

billyea said,
And after you've hacked the OS, you can do things like... like...
.... brb, looking up what you can do on Chrome OS

If I was able to crack the OS..... I could not care less to do something with it; I would focus to what to do with the money I got....

techbeck said,

I was responding to someone who said he was going ot look at what Chrome OS can do. So I provided him with a link. So I am staying on topic and discussing Chrome OS.

We all know your distaste towards Google and a lot of Google threads, you have to bring Windows in to it. Again, this thread is NOT about Windows and what people think about it. It is about Chrome...period.

Indeed; we all have our own preferences but this kind of wining, especially on a site like Neowin, is even detrimental to the subject is supposed to support.

I think this comment chain needs to be cleaned up.

Yes, I was poking fun at Chrome OS, but after being provided with a legitimate response, I gave a legitimate thanks. You know, because I love tech and I'm willing to learn more about Chrome OS (even though I don't think it's all that good).

nohone said,


But it says there are 1000s of apps! Of course, when there are only 150,000 on the Windows Phone app store (released October 2010) and over 40,000 for the Win8 store (released October 2012). And we know how bad those app stores are - people here on Neowin like to tell us all the time. But Chrome OS has 1000s since Nov. 2009. Yep, the Windows Phone and Windows8 ecosystems, they are bad and you cannot do anything with those devices. But Chrome, you can do anything you want and it will revolutionize the world.

Oh, and I love how WinRT is supposedly confusing to people, but naming your web browser (the thing that runs on PCs) Chrome, naming your OS for a limited number of devices Chrome, and naming the computers Chromebook and Chromebox - that is in no way confusing and people will immediately know the differences.

I like how you got all of that from a link that Techbeck posted. No one in this thread, or on this page for that matter, were making those types of claims. Like, no one made off like Chrome is going to revolutionize the world, or that the Windows ecosystem was bad.

So I have to ask. Who are you arguing with?

I am sure this will get cracked...anything is crackable. Just a matter of when really. Would be interesting to see how it takes someone to do it.

techbeck said,
I am sure this will get cracked...anything is crackable. Just a matter of when really. Would be interesting to see how it takes someone to do it.

considering it took 2 years before Chrome had enough market share (around 15%) to become interesting for Security researchers (who have since managed to exploit it several times), it is unlikely that anyone will even try to look for flaws in this OS with market share close to 0%.

furthermore, with less than two months before this contest deadline, Google perfectly knows that security researchers don't have enough time to develop working exploits, considering even an IE9/Win7 exploit takes several months to be developed.

so, this contest is nothing more than brilliant marketing.
people will imagine that ChromeOS is invulnerable like they did during the two years Google Chrome remained untouched.

link8506 said,

considering it took 2 years before Chrome had enough market share (around 15%) to become interesting for Security researchers (who have since managed to exploit it several times), it is unlikely that anyone will even try to look for flaws in this OS with market share close to 0%.

If the money is right, people will try. 3mil is a lot of money.


furthermore, with less than two months before this contest deadline, Google perfectly knows that security researchers don't have enough time to develop working exploits, considering even an IE9/Win7 exploit takes several months to be developed.

You said yourself, that Chrome OS has been out for 2yrs or so. Considering that, there is plenty of time for hackers to fool around with Chrome OS and find a way to crack it. Hackers are not going to wait for Google to announce a payment and I am sure someone has been messing with Chrome already. Just like every year when the contest between Windows/iOS/Linux comes out...some take days to crack (if at all) and some take 10 minutes. And these systems are updated with the latest patches/security fixes before the contest.

techbeck said,

If the money is right, people will try. 3mil is a lot of money.


read the article.
it is "only" $150k for an exploit that would have to exploit a flaw in the browser, exploit a flaw in the sandbox, and exploit another flaw to persist after restart.

that's a lot of work for a team of skilled hackers. Several months of work with no guarantee of success.

even attacking Windows RT with a browser flaw has never been done before, despite the fact that it is similar to Windows x86.



You said yourself, that Chrome OS has been out for 2yrs or so. Considering that, there is plenty of time for hackers to fool around with Chrome OS and find a way to crack it. Hackers are not going to wait for Google to announce a payment and I am sure someone has been messing with Chrome already. Just like every year when the contest between Windows/iOS/Linux comes out...some take days to crack (if at all) and some take 10 minutes. And these systems are updated with the latest patches/security fixes before the contest.


two years of existence, and still 0.0x% of market share.
I don't think there are many skilled hackers wasting their time on it when they can earn a lot of money with other platforms.

btw, at hacking contests, when someone hacks a system in 5 minutes, that's because he had the exploit code ready before coming to the contest.
it takes rather 5 months than 5 minutes to identify a 0day flaw, and develop an exploit that can bypass ASLR, DEP and the browser sandbox

link8506 said,


read the article.
it is "only" $150k for an exploit that would have to exploit a flaw in the browser, exploit a flaw in the sandbox, and exploit another flaw to persist after restart.

My mistake...but still a good chunk of change. Even if no one hacks it this time, someone eventually will.

link8506 said,

btw, at hacking contests, when someone hacks a system in 5 minutes, that's because he had the exploit code ready before coming to the contest.
it takes rather 5 months than 5 minutes to identify a 0day flaw, and develop an exploit that can bypass ASLR, DEP and the browser sandbox

Finally, someone who knows what they are talking about. You cannot just "hack" something without significant resources behind you. When something like Chrome OS has literally less then 0.0% market share there is no incentive to even look at it. As mentioned above by someone in the know, this is little more than a marketing stunt to make people think Chrome OS is invincible(like they did with Chrome and its got exploits ridded with it now so you'll see Google stopped stressing the "most secure" crap).

ingramator said,

When something like Chrome OS has literally less then 0.0% market share there is no incentive to even look at it.

Still doesnt mean someone hasnt tried or will not try to hack it. To think no one hasnt even looked at it is foolish, IMO