Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Dangles More Than $3 Million For Security Researchers To Crack Chrome OS

Google on Monday said they are offering up serious money the security research community to help them find and fix vulnerabilities in Chrome OS.

Google on Monday said they are offering up serious money the security research community to help them find and fix vulnerabilities in Chrome OS.

Researchers at this year’s Pwn2Own contest at the CanSecWest conference in Vancouver will already be working to find vulnerabilities in web browsers and browser plug-ins, and now Google has followed up saying that it would offer up big bucks to those who can compromise its Chrome OS.

The competition, dubbed “Pwnium 3”, will have a focus on Chrome OS and Google is offering up to a total of up to $3.14159 million in rewards for vulnerabilities discovered in the operating system.

Hoping that the larger rewards will incentivize hackers to step up to the challenge in cracking the security defenses of Chrome OS, Google said it would reward researchers at the following levels:

• $110,000: browser or system level compromise in guest mode or as a logged-in user, delivered via a web page.

• $150,000: compromise with device persistence — guest to guest with interim reboot, delivered via a web page.

“The new rules are designed to enable a contest that significantly improves Internet security for everyone. At the same time, the best researchers in the industry get to showcase their skills and take home some generous rewards,” Chris Evans of the Google Chrome Security Team noted in a blog post. 

To qualify for a payout, the researcher must be able to demonstrate the attack against a base (WiFi) model of the Samsung Series 5 550 Chromebook, running the latest stable version of Chrome OS.

Advertisement. Scroll to continue reading.

“Any installed software (including the kernel and drivers, etc.) may be used to attempt the attack,” Evans noted. “For those without access to a physical device, note that the Chromium OS developer’s guide offers assistance on getting up and running inside a virtual machine.”

As is the case with the overall rules for Pwnium, the deliverable is the full exploit plus accompanying explanation and breakdown of individual bugs used. “Exploits should be served from a password-authenticated and HTTPS-supported Google property, such as Google App Engine. The bugs used must not be known to us or fixed on trunk. We reserve the right to issue partial rewards for partial, incomplete or unreliable exploits,” Evans explained.

Both Pwn2Own and Pwnium 3 will take place at the CanSecWest conference on March 6-8.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.