Security Experts:

Google Turns Pwnium Competition into Year-Round Program

Google has decided to ditch single-day Pwnium competitions in favor of a year-round program that gives researchers the opportunity to get considerable rewards for hacking Chromium.

Up until this year, Pwnium had been held at the CanSecWest security conference in Canada. Last year, at Pwnium 4, Google offered a total of more than $2.7 million for eligible Chrome OS exploits.

The search giant believes a year-round program is better because it eliminates entry barriers. In the past, Pwnium participants needed to have an exploit ready for March and they had to physically attend the event. Now, they can submit their findings at any time directly through the Chrome Vulnerability Reward Program (VRP).

If researchers no longer have to wait until the competition to report their vulnerabilities, it’s less likely that other experts will discover the same flaws. This approach is also beneficial for Google because if researchers don’t have to wait until a certain date to disclose their findings, bugs get fixed quicker.

The new Pwnium rewards pool is unlimited, or “infinity million” as Tim Willis of the Chrome Security Team called it in a blog post published on Tuesday. With the addition of Pwnium-style bug chains, the top reward in the Chrome VRP has been increased to $50,000.

“We have a standing $50,000 reward for participants that can compromise a Chromebook or Chromebox with device persistence in guest mode (i.e. guest to guest persistence with interim reboot, delivered via a web page),” Google noted on its Chrome Reward Program Rules page.

The company has argued that while this amount is smaller than what had been offered at the single-day competition, there are less restrictions and the chances of getting a reward are higher.

“Former Pwniums required a physical presence at the competition location, a successful demonstration of your exploit on a future version of Chrome and the delivery of a full-chain exploit via a webpage - all while doing this on one of our latest Chromebooks in a short time window in March!,” Google said. “Even if you had a bug that met all of these criteria, you still ran the risk of Google fixing the bug before Pwnium or someone else reporting the issue to us if you chose to wait for the competition.”

Google has pointed out that this is an experimental and discretionary rewards program that may be canceled or modified at any time.

Those who prefer competitions can sign up for HP’s Pwn2Own. Earlier this month, the Zero Day Initiative (ZDI) announced prizes totaling half a million dollars in cash and non-monetary rewards for the Pwn2Own 2015 contest that will take place on March 18-19 at CanSecWest. Google’s Project Zero is also sponsoring the event and participants who successfully exploit the latest release of Chrome 42, which will not be on the stable channel at the time of the event, will receive an extra $10,000.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.