Security Experts:

Google Dangles More Than $3 Million For Security Researchers To Crack Chrome OS

Google on Monday said they are offering up serious money the security research community to help them find and fix vulnerabilities in Chrome OS.

Researchers at this year's Pwn2Own contest at the CanSecWest conference in Vancouver will already be working to find vulnerabilities in web browsers and browser plug-ins, and now Google has followed up saying that it would offer up big bucks to those who can compromise its Chrome OS.

The competition, dubbed “Pwnium 3”, will have a focus on Chrome OS and Google is offering up to a total of up to $3.14159 million in rewards for vulnerabilities discovered in the operating system.

Hoping that the larger rewards will incentivize hackers to step up to the challenge in cracking the security defenses of Chrome OS, Google said it would reward researchers at the following levels:

• $110,000: browser or system level compromise in guest mode or as a logged-in user, delivered via a web page.

• $150,000: compromise with device persistence -- guest to guest with interim reboot, delivered via a web page.

“The new rules are designed to enable a contest that significantly improves Internet security for everyone. At the same time, the best researchers in the industry get to showcase their skills and take home some generous rewards,” Chris Evans of the Google Chrome Security Team noted in a blog post. 

To qualify for a payout, the researcher must be able to demonstrate the attack against a base (WiFi) model of the Samsung Series 5 550 Chromebook, running the latest stable version of Chrome OS.

“Any installed software (including the kernel and drivers, etc.) may be used to attempt the attack,” Evans noted. “For those without access to a physical device, note that the Chromium OS developer’s guide offers assistance on getting up and running inside a virtual machine.”

As is the case with the overall rules for Pwnium, the deliverable is the full exploit plus accompanying explanation and breakdown of individual bugs used. “Exploits should be served from a password-authenticated and HTTPS-supported Google property, such as Google App Engine. The bugs used must not be known to us or fixed on trunk. We reserve the right to issue partial rewards for partial, incomplete or unreliable exploits,” Evans explained.

Both Pwn2Own and Pwnium 3 will take place at the CanSecWest conference on March 6-8.

Subscribe to the SecurityWeek Email Briefing
view counter