Google's Chrome security team is paying up to $1 million in rewards for researchers who find exploits in the popular Web browser. The payouts will come at CanSecWest's security conference next week.
Acting on the
notion that it is harder to find exploits than security bugs, Google
(NASDAQ:GOOG) is offering up to $1 million in rewards to those who find full
and partial exploits in the popular Web browser.
which will be doled out at the Pwn2Own hacking contest at the
CanSecWestCanSecWest security conference in Vancouver next week, also include a
free Chromebook for every participant who submits an exploit.
include $60,000 for a full Chrome exploit covering user account persistence
using only bugs in Chrome. Google is offering $40,000 for partial Chrome
exploits covering persistence using at least one bug in Chrome itself, and
other bugs, such as a WebKit bug combined with a Windows sandbox bug.
The company is
further paying $20,000 for consolation awards, to those who find flaws in Flash,
Windows or a driver, which may threaten any Web browser if exploited
The idea is
not only to help Google hunt and squash bugs in Chrome, which has more than 220
million users, but also to help the Chrome security team study vulnerabilities
and exploit techniques to bolster the browser's security in the future.
program extends the company's popular Chromium Security Rewards program
"by recognizing that developing a fully functional exploit is
significantly more work than finding and reporting a potential security
bug," the Chrome security team said in a blog post.
offer multiple rewards per category, up to the $1 million limit, with rewards
coming on a first-come, first-served basis. Each set of exploit bugs must be
fully functional, of critical impact, present in the latest versions and be genuinely
zero-day vulnerabilities, or not be known to Google or third parties.
Google noted that while it was going to sponsor this year's Pwn2Own competition,
it withdrew its sponsorship when it learned that contestants are permitted to
enter Pwn2Own without having to reveal full exploits to vendors.
like this approach, insisting that exploits be sent to Google and judged by
Google before being submitted anywhere else.
exploits have been handed over in previous years, but it's an explicit non-requirement
in this year's contest, and that's worrisome," the Chrome security team
explained. "We will therefore be running this alternative Chrome-specific
promised to send non-Chrome bugs to the affected vendor when it learns of them.
ratcheting up its attention to Chrome security. The latest news comes weeks after Google expanded
its security rewards program after paying out more than $700,000 to researchers
who have detected hundreds of bugs in its Chrome browser since the company
launched the program in January 2010.