Connect with us

Hi, what are you looking for?



Google Puts Its Money on Chrome OS

Last week Google announced the details of the third iteration of Pwnium, Google’s contest where it gives cash to security researches who can demonstrate vulnerabilities in select Google applications.

Last week Google announced the details of the third iteration of Pwnium, Google’s contest where it gives cash to security researches who can demonstrate vulnerabilities in select Google applications. The big news of this announcement was that the amount of money got much bigger (up to 3.14 million dollars in rewards), and the target shifted from the Chrome browser to Chrome OS. This is interesting for a whole host of reasons that directly impact the future of security.

Google Raises the Stakes

From a pure security perspective, vulnerability research is obviously a very good thing – it’s far better for the author of an application to proactively find their weaknesses in a relatively controlled way as opposed to having the bad guys find them in the wild. This is why Google is offering bounties for newly discovered vulns against Chrome OS and the Chrome browser. What’s unique is the amount of money that Google is putting into the pot.

Hacking Chrome OSWhile $3 million isn’t a lot of money to Google, it is a lot of money compared to what the industry has paid for vulnerabilities in the past. As a point of reference, Google gave away $1 million for last year’s Pwnium contest at CanSec West. At the time, that amount was a bit shocking because the rewards towered over the more traditional Pwn2Own contest, run by HP’s ZDI team. This year, however, Google is playing well with others and is once again participating and contributing to the Pwn2Own contest in addition to running their own Pwnium contest. That is a lot of commitment to vulnerability research by Google.

It does create an interesting dynamic however. Google is paying more money, but it is also asking for more from researchers. Unlike previous events, which only required researchers to demonstrate a vulnerability, Google’s Pwnium requires access to the full working exploit. This puts them in a bidding war, not with other companies and vendors, but with the governments and criminal organizations that pay top dollar for that sort of information. One way or another Google is certainly entering the deep part of the pool.

Follow the Money

While the dollar figures will certainly make people take notice, I believe what they are spending that money on is even more interesting. The majority of the π-million dollars of bounties are dedicated to finding vulnerabilities in Chrome OS. Since the Chrome browser is already part of the Pwn2Own contest, Google decided to focus Pwnium on their still relatively new operating system Chrome OS. So not only is Google raising the bar, installing a ladder and raising the bar again in terms of vuln bounties – they are doing so for an operating system that is virtually non-existent in the wild. The choice is even more interesting considering that Google is offering nothing for vulns related to their Android operating system, which oh by the way, happens to be the dominant OS on mobile devices on the planet. If nothing else, this disparity clearly points out how strategic the browser-as-the-OS approach is to Google’s future.

This evolution will continue to force security teams to evolve their definitions of what an application is and how they are controlled. The browser is already the major portion of the attack surface for most end-users. Many highly dynamic applications are tunneled through the browser today, and most any protocol can be tunneled within HTTP. Exploits are served to end-users through the browser using exploit kits such as Black Hole. Java script and a variety of client-side technologies are abused in cross-site scripting attacks, and a variety of browser plugins such as a Flash and Java that are common sources of attack.

Advertisement. Scroll to continue reading.

A browser-OS model pushes this evolution to its logical extreme. Literally every application becomes a web-application or plugin, and the browser (or something like it) comes to represent virtually all of user-space in an OS sense. And to paraphrase Stan Lee, with that great power comes great responsibility. A responsibility that will require much more than bounties on vulnerabilities. Google seems to be committed to the task thus far, but it will be a very interesting evolution to watch over the coming months and years.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.