Google Scraps Format for Pwnium Bug Disclosures | eWeek

Google Scraps Format for Pwnium Bug Disclosures

Google security
Feb 26, 2015
3 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Google has scrapped its once-a-year Pwnium competition for bug hunters, replacing it with ongoing working exploits against Chrome OS, Flash and related software.

Instead of an annual one-day event at CanSecWest, security researchers will now have an opportunity to disclose Pwnium style bug chains throughout the year via Google’s Chrome Vulnerability Reward Program (VRP).

The change is designed to remove some of the barriers to entry under the existing Pwnium format, Tim Will, a member of the Chrome security team said in a blog post Tuesday. With the one-day format, security researchers had to wait until the event in March in order to be able to report a working exploit and become eligible for a cash award.

“This is a bad scenario for all parties,” Will said, “It’s bad for us because the bug doesn’t get fixed immediately and our users are left at risk.” Letting researchers disclose security vulnerabilities and exploits all year round also reduces the likelihood of multiple researchers working on or discovering the same bug.

The once-a-year format also required bug hunters to register for the conference, be there physically and demonstrate the exploit under relatively rigid time restraints and terms and conditions. The new Pwnium removes such barriers by permitting bug and exploit submissions throughout the year via the Chrome VRP, Will said.

On top of all of these reasons, the participants in Pwnium program wanted an option to report bugs all year. “They did, so we’re delivering.”

The rules for disclosing Pwnium bug chains are the same as those governing the Chrome reward program. Researchers who discover security bugs in stable, beta and development versions of Chrome or Chrome OS will be eligible for rewards ranging from $500 to $15,000. Google also has a standing offer of $50,000 for anyone that can break into a Chromebook or Chromebox while in guest mode.

The numbers are only an indication of the typical amounts Google awards to bug finders. Many times, Google has handed out awards in excess of $30,000 under the Chrome rewards program, according to the company.

The rewards offered to bug hunters under the Chrome VRP are relatively substantial but pale in comparison to the $110,000 to $150,000 that Google used to offer during the annual Pwnium contest at CanSecWest. But that’s only because the Pwnium event required researchers to be physically present at the event. It also required them to be willing to accept the chance that some other researcher, including those at Google, would find the bug before the security researcher had a chance to claim credit for it, Google said in a FAQ on the Chrome Rewards Program page.

The Pwnium program revamp is the second major change that Google has made to its security disclosures programs in recent weeks. Earlier this month the company announced a new Vulnerability Research Grants initiative under which Google is offering cash awards of up to $3,133.70 to qualified researchers interested in finding security bugs in specific Google products. Unlike typical bug bounty programs, the research grants initiative pays researchers who have been invited to participate even if they do not always find any flaws in Google products.

In addition, Google also has its own vulnerability research program dubbed Project Zero that is focused on finding security vulnerabilities in software products from other vendors.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.