Google Again Paying Rewards for Chrome OS Security Fixes
Google is putting up $2.7 million to pay for security fixes from software researchers who identify and fix vulnerabilities in Chrome OS code.Google is offering rewards of up to $150,000 each to security researchers who help the company identify and patch serious vulnerabilities in the code for Chrome OS as Google continues to sponsor competitions that help it root out bad code in its products. "Security is a core tenet of Chromium, which is why we hold regular competitions to learn from security researchers," wrote Jorge Lucángeli Obes, a Google security engineer, in a recent post on The Chromium Blog. "Contests like Pwnium help us make Chromium even more secure. This year Pwnium 4 will once again set sights on Chrome OS, and will be hosted in March at the CanSecWest security conference," which will be held March 12-14 at the Sheraton Wall Centre hotel in downtown Vancouver, British Columbia. At this year's event, Google will offer a total of $2.7 million in Pwnium rewards for eligible Chrome OS exploits, he wrote. Prizes of $110,000 will be paid for fixes for browser or system-level compromises in guest mode or as a logged-in user, delivered via a Web page. Prizes of $150,000 will be paid for compromises involving device persistence such as guest to guest with interim reboot, delivered via a Web page, according to Obes. "New this year, we will also consider significant bonuses for demonstrating a particularly impressive or surprising exploit," he wrote. "Potential examples include defeating kASLR, exploiting memory corruption in the 64-bit browser process or exploiting the kernel directly from a renderer process."
Participants in the past were asked to focus their bug-seeking efforts on Intel-based Chrome OS devices, according to Obes, but are now also welcome to seek vulnerabilities on platforms such as ARM-based Chromebooks, the HP Chromebook 11 (WiFi) or the Acer C720 Chromebook (2GB WiFi), which is based on the Intel Haswell microarchitecture, he wrote. "The attack must be demonstrated against one of these devices running the then-current stable version of Chrome OS."