All Change For Pwnium V
Written by Alex Armstrong   
Thursday, 26 February 2015

Google has scrapped its annual one-day contest to demonstrate vulnerabilities in Chrome. In future bugs can attract rewards all the year round.

Security researchers might have expected an announcement before now about Google's annual Pwnium hacking contest that has taken place in early at CanSecWest over recent years, offering rewards potentially amounting to millions of dollars.

Now the Chromium blog has broken the silence - and changed the rules in a big way. The Pwnium contest is now never ending,  rewards pool is similarly limitless. The top reward on the Chrome Reward Program for a qualifying bug in the Chrome OS will now be $50,000. While this is a big step up for the Chrome Reward program which previously had a maximum of $15,00 (see Google Increases Maximum Bounty For Chrome Bugs), it is significantly less than the prizes of up to $150,000 awarded at previous Pwnium contests

According to the Chrome security team, moving from a once-a-year event to being a continual competition removes the barriers to entry - previously only those who had pre-registered and are were actually CanSecWest were eligible for the Pwnium rewards - and removes the incentive for "bug hoarding,  that is discovering a bug and waiting until the annual contest to report it in order to cash in. 

The Chrome Security team points out:

This is a bad scenario for all parties. It’s bad for us because the bug doesn’t get fixed immediately and our users are left at risk. It’s bad for them as they run the real risk of a bug collision. By allowing security researchers to submit bugs all year-round, collisions are significantly less likely and security researchers aren’t duplicating their efforts on the same bugs.

In addition, having asked some researchers, the team discovered that having the option to report all year round is the preferred option.


 Although Pwnium won't be at CanSecWest 2015, taking place March 18-20 in Vancouver, Canada, the longer established Pwn2Own contest organized by Hewlett Packard's Zero Day Initiative will be there. The prize funds this year are expected to total over half a million dollars in cash and non-cash awards and Google is one of the sponsors. 

The following targets and prizes have been announced on the HP Security Research blog:

Windows-based targets: 

  • Google Chrome (64-bit): $75,000
  • Microsoft Internet Explorer 11 (64-bit with EPM-enabled): $65,000
  • Mozilla Firefox: $30,000
  • Adobe Reader running in Internet Explorer 11 (64-bit with EPM-enabled): $60,000
  • Adobe Flash (64-bit) running in Internet Explorer 11 (64-bit with EPM-enabled): $60,000


Mac OS X-based targets: 

  • Apple Safari (64-bit): $50,000

In addition, on Windows-based targets, a contestant who achieves system-level code execution will receive an additional $25,000. Moreover, for the Google Chrome target, the Chrome Security Team will provide a top-up reward of $10,000 for any entry that can also successfully exploit the latest release of the Chrome 42 release channel even though Chrome 42 won't be on the stable channel at the time of the competition.


More Information

Chrome Reward Program Rules

Pwnium V: the never-ending* Pwnium

Pwn2Own 2015: Exploitation at its Finest!

Related Articles

$2.7 Million On Offer For Pwnium 4 

Google Increases Maximum Bounty For Chrome Bugs

Google Announces More Cash For Security Bugs

Chrome Hacked Twice at CanSecWest

Google Offers $1 million for Chrome Hack

Google Offers Cash For Security Patches

Chrome, IE and Firefox Hacked


To be informed about new articles on I Programmer, install the I Programmer Toolbar, subscribe to the RSS feed, follow us on, Twitter, FacebookGoogle+ or Linkedin,  or sign up for our weekly newsletter.





or email your comment to:



Hydra Turns PostgreSQL Into A Column Store

Hydra is an open-source extension that adds columnar tables to Postgres for efficient analytical reporting. Version 1.0 is generally available.

PHP 8.3 Released

PHP 8.3 has been released with improvements including explicit typing of class constants, deep cloning of readonly properties, and additions to randomness functionality.

More News

Last Updated ( Thursday, 26 February 2015 )