This year Google wants to go even further. At the upcoming CanSecWest security conference, Google will once again sponsor rewards for Google Chrome exploits. The aim of the program is simple: Google feels they have a big learning opportunity when working with security researchers and receiving full end-to-end exploits. Not only can the Google team then fix the bugs, but they can studying the vulnerability and exploit techniques used by security teams to can enhance mitigations, automated testing, and sandboxing. This enables us better protection for end users.
To up the ante, and of course provide some extra incentive for researchers to share their exploits, Google has upped the ante from their standard reward program and past bonuses given at CanSecWest. This year they will directly sponsor up to $1 million worth of rewards in the following categories:
- $60,000 - “Full Chrome exploit”: Chrome / Win7 local OS user account persistence using only bugs in Chrome itself.
- $40,000 - “Partial Chrome exploit”: Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows sandbox bug.
- $20,000 - “Consolation reward, Flash / Windows / other”: Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver. These exploits are not specific to Chrome and will be a threat to users of any web browser. Although not specifically Chrome’s issue, we’ve decided to offer consolation prizes because these findings still help us toward our mission of making the entire web safer.
There will be multiple rewards offered per category, up to the $1 million limit, on a first-come-first served basis. There is no splitting of winnings or “winner takes all.” Google will require each set of exploit bugs to be reliable, fully functional end to end, disjoint, of critical impact, present in the latest versions and genuinely “0-day,” i.e. not known to us or previously shared with third parties. Contestant’s exploits must be submitted to and judged by Google before being submitted anywhere else.
This is a new program for Google, who withdrew their sponsorship from the annual Pwn2Own contest over concerns that contestants are allowed to enter Pwn2Own without having to reveal the full exploits to software vendors. Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest which Google felt was unacceptable.
Chrome will still be on the list of Pwn2Own targets, which also includes Microsoft Internet Explorer, Apple Safari and Mozilla Firefox. However, there won't be the bonus bounty offered last year.