Google has announced Pwnium2 and has increased the level of bonuses it pays through its Chromium Vulnerability Rewards Program.
Thanks to the efforts of security researchers, Chromium has become more secure - but this also mean that finding security holes has become more difficult. Google has therefore decided to add a bonus of $1,000 or more on top of the amounts already on offer to those who report exploitable bugs. It has already retroactively awarded a bonus of $3,000 to demonstrate how the updated scheme will work.
The Chromium Vulnerability Rewards Program is ongoing and awards sums of up to $10,000 but there are bigger prizes on offer for Pwnium2. In the blog post announcing the new contest, which will take place in conjunction with the Hack In The Box 10 year anniversary conference in Kuala Lumpur, Malaysia, Google's Chris Evans writes:
This time, we'll be sponsoring up to $2 million worth of rewards
and explains that the reward levels are closer together than previously to reflect the fact that any local account compromise is very serious.
There are three set levels with multiple awards on offer:
- $60,000: "Full Chrome exploit": Chrome / Win7 local OS user account persistence using only bugs in Chrome itself.
- $50,000: "Partial Chrome exploit": Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows kernel bug.
- $40,000: "Non-Chrome exploit": Flash / Windows / other. Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver.
An indeterminate amount of money will also be awarded at the panel's discretion for "incomplete exploits" ones that are not reliable, or have an incomplete exploit chain. For example, code execution inside the sandbox but no sandbox escape; or a working sandbox escape in isolation.As Evans explains:
For Pwnium 2, we want to reward people who get "part way" as we could definitely learn from this work. Our rewards panel will judge any such works as generously as we can.
At the first Pwnium contest, for which Google had offered up to $1million, Google actually handed out $120,000. It has given security researchers more notice for this second event and doubled the available prize money. We'll discover in October what the outcome is.