The annual Pwn2Own contest always claims a number of victims, from the Apple iPhone to Microsoft Internet Explorer. But Google, whose Chrome browser emerged untargeted and unscathed last year, is feeling confident.
How else to explain their decision to offer a $20,000 reward for the researcher who can exploit the Chrome browser?
“Kudos to the Google security team for taking the initiative to approach us on this; we’re always in favor of rewarding security researchers for the work they too often do for free,” blogged Aaron Portnoy, manager of the security research team at TippingPoint Technologies.
All totaled, HP TippingPoint, whose ZDI (Zero Day Initiative) team runs the contest, is offering $125,000 in rewards. As usual, the competition will focus on Web browsers and mobile devices. The bull’s eye is on Internet Explorer, Google Chrome, Apple Safari and Mozilla Firefox, with each browser installed on a 64-bit system running the latest version of either OS X or Windows 7.
Taking down IE, Safari or Firefox will net the researcher $15,000 in cash, a laptop and 20,000 ZDI reward points, which qualifies them for a variety of benefits. As for Chrome, the contest will have two parts. Day one will offer the $20,000 reward and a CR-48 notebook for the contestant who can exploit the browser and escape the sandbox using vulnerabilities present in Google-written code.
If the competitors are unsuccessful, on day two and three, the ZDI will offer $10,000 for a sandbox escape in non-Google code, and Google will put up $10,000 for the Chrome bug. Either way, plug-ins other than the built-in PDF support are out of scope, Portnoy explained.
“Last year the contest was a great success, with three of the four browsers successfully compromised as well as the Apple iPhone,” he wrote.
The contest will take place March 9-11in Vancouver, B.C., during the CanSecWest conference. Preregistration will close on Feb. 15, though on-site registration will be allowed as well. To register ahead of time, send an e-mail to zdi@tippingpoint.com with the following information: name, intended target, and any requirements, such as static IP addresses and so forth.