Google Again Paying Rewards for Chrome OS Security Fixes

Google is putting up $2.7 million to pay for security fixes from software researchers who identify and fix vulnerabilities in Chrome OS code.

Google is offering rewards of up to $150,000 each to security researchers who help the company identify and patch serious vulnerabilities in the code for Chrome OS as Google continues to sponsor competitions that help it root out bad code in its products.

"Security is a core tenet of Chromium, which is why we hold regular competitions to learn from security researchers," wrote Jorge Lucángeli Obes, a Google security engineer, in a recent post on The Chromium Blog. "Contests like Pwnium help us make Chromium even more secure. This year Pwnium 4 will once again set sights on Chrome OS, and will be hosted in March at the CanSecWest security conference," which will be held March 12-14 at the Sheraton Wall Centre hotel in downtown Vancouver, British Columbia.

At this year's event, Google will offer a total of $2.7 million in Pwnium rewards for eligible Chrome OS exploits, he wrote. Prizes of $110,000 will be paid for fixes for browser or system-level compromises in guest mode or as a logged-in user, delivered via a Web page. Prizes of $150,000 will be paid for compromises involving device persistence such as guest to guest with interim reboot, delivered via a Web page, according to Obes.

"New this year, we will also consider significant bonuses for demonstrating a particularly impressive or surprising exploit," he wrote. "Potential examples include defeating kASLR, exploiting memory corruption in the 64-bit browser process or exploiting the kernel directly from a renderer process."

Participants in the past were asked to focus their bug-seeking efforts on Intel-based Chrome OS devices, according to Obes, but are now also welcome to seek vulnerabilities on platforms such as ARM-based Chromebooks, the HP Chromebook 11 (WiFi) or the Acer C720 Chromebook (2GB WiFi), which is based on the Intel Haswell microarchitecture, he wrote. "The attack must be demonstrated against one of these devices running the then-current stable version of Chrome OS."

Participants can use any software included with the default installation as part of their Chrome OS attack, according to Obes. "For those without access to a physical device, the Chromium OS developer's guide offers assistance on getting up and running inside a virtual machine, but note that a virtual environment might differ from the physical devices where the attack must be demonstrated," he wrote.

Entrants in the competition must register in advance for a timeslot at the conference so that every entrant has enough time to demonstrate his or her exploit, wrote Obes. Participants must send an email to to register.

The deadline for registration is 8 p.m. EST on March 10 for exploits that are to be considered for awards.

"The official rules contain more details, but standard Pwnium rules apply: the deliverable is the full exploit, with explanations for all individual bugs used (which must be unknown); and exploits should be served from a password-authenticated and HTTPS-supported Google App Engine URL," wrote Obes.

In 2013, Google put up $3.1 million in prize money at the same conference as payments to researchers who identified security holes in Chrome OS.