Connect with us

Hi, what are you looking for?



Google Turns Pwnium Competition into Year-Round Program

Google has decided to ditch single-day Pwnium competitions in favor of a year-round program that gives researchers the opportunity to get considerable rewards for hacking Chromium.

Google has decided to ditch single-day Pwnium competitions in favor of a year-round program that gives researchers the opportunity to get considerable rewards for hacking Chromium.

Up until this year, Pwnium had been held at the CanSecWest security conference in Canada. Last year, at Pwnium 4, Google offered a total of more than $2.7 million for eligible Chrome OS exploits.

The search giant believes a year-round program is better because it eliminates entry barriers. In the past, Pwnium participants needed to have an exploit ready for March and they had to physically attend the event. Now, they can submit their findings at any time directly through the Chrome Vulnerability Reward Program (VRP).

If researchers no longer have to wait until the competition to report their vulnerabilities, it’s less likely that other experts will discover the same flaws. This approach is also beneficial for Google because if researchers don’t have to wait until a certain date to disclose their findings, bugs get fixed quicker.

The new Pwnium rewards pool is unlimited, or “infinity million” as Tim Willis of the Chrome Security Team called it in a blog post published on Tuesday. With the addition of Pwnium-style bug chains, the top reward in the Chrome VRP has been increased to $50,000.

“We have a standing $50,000 reward for participants that can compromise a Chromebook or Chromebox with device persistence in guest mode (i.e. guest to guest persistence with interim reboot, delivered via a web page),” Google noted on its Chrome Reward Program Rules page.

The company has argued that while this amount is smaller than what had been offered at the single-day competition, there are less restrictions and the chances of getting a reward are higher.

Advertisement. Scroll to continue reading.

“Former Pwniums required a physical presence at the competition location, a successful demonstration of your exploit on a future version of Chrome and the delivery of a full-chain exploit via a webpage – all while doing this on one of our latest Chromebooks in a short time window in March!,” Google said. “Even if you had a bug that met all of these criteria, you still ran the risk of Google fixing the bug before Pwnium or someone else reporting the issue to us if you chose to wait for the competition.”

Google has pointed out that this is an experimental and discretionary rewards program that may be canceled or modified at any time.

Those who prefer competitions can sign up for HP’s Pwn2Own. Earlier this month, the Zero Day Initiative (ZDI) announced prizes totaling half a million dollars in cash and non-monetary rewards for the Pwn2Own 2015 contest that will take place on March 18-19 at CanSecWest. Google’s Project Zero is also sponsoring the event and participants who successfully exploit the latest release of Chrome 42, which will not be on the stable channel at the time of the event, will receive an extra $10,000.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.