Starting today, Pwnium will change its scope significantly, from a single-day competition held once a year at CanSecWest to a year round, worldwide opportunity for security researchers to showcase their findings of the latest bugs and vulnerabilities.
Google says they are making these changes for several reasons. The biggest of course being delays in reporting of new finds. As it stands there is little incentive for researchers to come forward with vulnerabilities, because it literally doesn’t pay to do so. With the new, more lucrative rewards program Google hopes to eliminate those delays. Some other reasons for the changes given are:
- Removing barriers to entry: At Pwnium competitions, a security researcher would need to have a bug chain in March, pre-register, have a physical presence at the competition location and hopefully get a good timeslot. Under the new scheme, security researchers can submit their bugs year-round through the Chrome Vulnerability Reward Program (VRP) whenever they find them.
- Removing the incentive for bug hoarding: If a security researcher was to discover a Pwnium-quality bug chain today, it’s highly likely that they would wait until the contest to report it to get a cash reward. This is a bad scenario for all parties. It’s bad for us because the bug doesn’t get fixed immediately and our users are left at risk. It’s bad for them as they run the real risk of a bug collision. By allowing security researchers to submit bugs all year-round, collisions are significantly less likely and security researchers aren’t duplicating their efforts on the same bugs.
- Our researchers want this: On top of all of these reasons, we asked our handful of participants if they wanted an option to report all year. They did, so we’re delivering.
Starting today, instead of going the traditional route and applying for Pwnium, researchers can now submit bug chains to the Chrome Vulnerability Reward Program for confirmation and possible payout. Here are a list of rules for submission:
- Only the first report of a given issue that we were previously unaware of is eligible. In the event of a duplicate submission, the earliest filed bug report in the bug tracker is considered the first report.
- Bugs disclosed publicly or to a third-party for purposes other than fixing the bug will typically not qualify for a reward. We encourage responsible disclosure, and believe responsible disclosure is a two-way street; it’s our duty to fix serious bugs within a reasonable time frame.
- If you have a fuzzer running on ClusterFuzz as part of our Trusted Researcher program, you will not receive a reward if one of our fuzzers finds the same bug within 48 hours.
For security teams and researchers interested Google invites you to checkout their FAQ for more information. Good luck and happy bug hunting!