Google Scraps Format for Pwnium Bug Disclosures

Researchers will now be able to submit Chrome bug-chains throughout the year, reducing the likelihood of multiple researchers working on discovering the same bugs.

Google security

Google has scrapped its once-a-year Pwnium competition for bug hunters, replacing it with ongoing working exploits against Chrome OS, Flash and related software.

Instead of an annual one-day event at CanSecWest, security researchers will now have an opportunity to disclose Pwnium style bug chains throughout the year via Google's Chrome Vulnerability Reward Program (VRP).

The change is designed to remove some of the barriers to entry under the existing Pwnium format, Tim Will, a member of the Chrome security team said in a blog post Tuesday. With the one-day format, security researchers had to wait until the event in March in order to be able to report a working exploit and become eligible for a cash award.

"This is a bad scenario for all parties," Will said, "It's bad for us because the bug doesn't get fixed immediately and our users are left at risk." Letting researchers disclose security vulnerabilities and exploits all year round also reduces the likelihood of multiple researchers working on or discovering the same bug.

The once-a-year format also required bug hunters to register for the conference, be there physically and demonstrate the exploit under relatively rigid time restraints and terms and conditions. The new Pwnium removes such barriers by permitting bug and exploit submissions throughout the year via the Chrome VRP, Will said.

On top of all of these reasons, the participants in Pwnium program wanted an option to report bugs all year. "They did, so we're delivering."

The rules for disclosing Pwnium bug chains are the same as those governing the Chrome reward program. Researchers who discover security bugs in stable, beta and development versions of Chrome or Chrome OS will be eligible for rewards ranging from $500 to $15,000. Google also has a standing offer of $50,000 for anyone that can break into a Chromebook or Chromebox while in guest mode.

The numbers are only an indication of the typical amounts Google awards to bug finders. Many times, Google has handed out awards in excess of $30,000 under the Chrome rewards program, according to the company.

The rewards offered to bug hunters under the Chrome VRP are relatively substantial but pale in comparison to the $110,000 to $150,000 that Google used to offer during the annual Pwnium contest at CanSecWest. But that's only because the Pwnium event required researchers to be physically present at the event. It also required them to be willing to accept the chance that some other researcher, including those at Google, would find the bug before the security researcher had a chance to claim credit for it, Google said in a FAQ on the Chrome Rewards Program page.

The Pwnium program revamp is the second major change that Google has made to its security disclosures programs in recent weeks. Earlier this month the company announced a new Vulnerability Research Grants initiative under which Google is offering cash awards of up to $3,133.70 to qualified researchers interested in finding security bugs in specific Google products. Unlike typical bug bounty programs, the research grants initiative pays researchers who have been invited to participate even if they do not always find any flaws in Google products.

In addition, Google also has its own vulnerability research program dubbed Project Zero that is focused on finding security vulnerabilities in software products from other vendors.

Jaikumar Vijayan

Jaikumar Vijayan

Vijayan is an award-winning independent journalist and tech content creation specialist covering data security and privacy, business intelligence, big data and data analytics.