Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Dangles More Than $3 Million For Security Researchers To Crack Chrome OS

Google on Monday said they are offering up serious money the security research community to help them find and fix vulnerabilities in Chrome OS.

Google on Monday said they are offering up serious money the security research community to help them find and fix vulnerabilities in Chrome OS.

Researchers at this year’s Pwn2Own contest at the CanSecWest conference in Vancouver will already be working to find vulnerabilities in web browsers and browser plug-ins, and now Google has followed up saying that it would offer up big bucks to those who can compromise its Chrome OS.

The competition, dubbed “Pwnium 3”, will have a focus on Chrome OS and Google is offering up to a total of up to $3.14159 million in rewards for vulnerabilities discovered in the operating system.

Hoping that the larger rewards will incentivize hackers to step up to the challenge in cracking the security defenses of Chrome OS, Google said it would reward researchers at the following levels:

• $110,000: browser or system level compromise in guest mode or as a logged-in user, delivered via a web page.

• $150,000: compromise with device persistence — guest to guest with interim reboot, delivered via a web page.

“The new rules are designed to enable a contest that significantly improves Internet security for everyone. At the same time, the best researchers in the industry get to showcase their skills and take home some generous rewards,” Chris Evans of the Google Chrome Security Team noted in a blog post. 

To qualify for a payout, the researcher must be able to demonstrate the attack against a base (WiFi) model of the Samsung Series 5 550 Chromebook, running the latest stable version of Chrome OS.

“Any installed software (including the kernel and drivers, etc.) may be used to attempt the attack,” Evans noted. “For those without access to a physical device, note that the Chromium OS developer’s guide offers assistance on getting up and running inside a virtual machine.”

As is the case with the overall rules for Pwnium, the deliverable is the full exploit plus accompanying explanation and breakdown of individual bugs used. “Exploits should be served from a password-authenticated and HTTPS-supported Google property, such as Google App Engine. The bugs used must not be known to us or fixed on trunk. We reserve the right to issue partial rewards for partial, incomplete or unreliable exploits,” Evans explained.

Both Pwn2Own and Pwnium 3 will take place at the CanSecWest conference on March 6-8.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.