Google Shelling Out Up to $1M for Chrome Bug Hunt

Acting on the notion that it is harder to find exploits than security bugs, Google (NASDAQ:GOOG) is offering up to $1 million in rewards to those who find full and partial exploits in the popular Web browser.

The awards, which will be doled out at the Pwn2Own hacking contest at the CanSecWestCanSecWest security conference in Vancouver next week, also include a free Chromebook for every participant who submits an exploit.

The payouts include $60,000 for a full Chrome exploit covering user account persistence using only bugs in Chrome. Google is offering $40,000 for partial Chrome exploits covering persistence using at least one bug in Chrome itself, and other bugs, such as a WebKit bug combined with a Windows sandbox bug.

The company is further paying $20,000 for consolation awards, to those who find flaws in Flash, Windows or a driver, which may threaten any Web browser if exploited

The idea is not only to help Google hunt and squash bugs in Chrome, which has more than 220 million users, but also to help the Chrome security team study vulnerabilities and exploit techniques to bolster the browser’s security in the future.

The reward program extends the company’s popular Chromium Security Rewards program “by recognizing that developing a fully functional exploit is significantly more work than finding and reporting a potential security bug,” the Chrome security team said in a blog post.

Google will offer multiple rewards per category, up to the $1 million limit, with rewards coming on a first-come, first-served basis. Each set of exploit bugs must be fully functional, of critical impact, present in the latest versions and be genuinely zero-day vulnerabilities, or not be known to Google or third parties.

Interestingly, Google noted that while it was going to sponsor this year’s Pwn2Own competition, it withdrew its sponsorship when it learned that contestants are permitted to enter Pwn2Own without having to reveal full exploits to vendors.

Google doesn’t like this approach, insisting that exploits be sent to Google and judged by Google before being submitted anywhere else.

“Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome,” the Chrome security team explained. “We will therefore be running this alternative Chrome-specific reward program.”

The company promised to send non-Chrome bugs to the affected vendor when it learns of them.

Google is ratcheting up its attention to Chrome security. The latest news comes weeks after Google expanded its security rewards program after paying out more than $700,000 to researchers who have detected hundreds of bugs in its Chrome browser since the company launched the program in January 2010.