Google Doubles Down On Rewards For Bug Reports With $2 Million In Hacking Prizes
If Google hadn’t made the message clear enough already: It really, really wants you to hack its software.
On Wednesday the companyannounced that it’s holding another competition for hackers to target its Chrome browser, following the Pwnium competition it held in Vancouver last March, where it offered a total of $1 million in hacking prizes. This time the company’s putting a total of $2 million in rewards on the table for anyone who can find bugs in its browser, exploit them, and tell Google’s security team the details of their techniques.
“The first Pwnium competition held earlier this year exceeded our expectations,” Google security engineer Chris Evans wrote in a blog post. “Most importantly, we were able to make Chromium [the open-source code base on which Chrome is built] significantly stronger based on what we learned.”
The contest will be held in October at the Hack in the Box security conference in Kuala Lumpur, Malaysia. “We hope this gives enough time for the security community to craft more beautiful works, which we’d be more than happy to reward and celebrate,” Evans wrote.
Google is offering up to $60,000 for a single working Chrome exploit. While several other companies including Mozilla, PayPal and Facebook offer bug bounties, none publicly offers such a high sum.
In another blog post Tuesday, Google wrote that it had already paid out $1 million in total bounties, and would be adding small bonuses for certain categories of exploits.
Bumping its total payout for the competition, which it’s calling Pwnium 2, may be more of a marketing stunt than a significant change. In the last Pwnium contest (whose name comes from the word “pwn,” hacker jargon for compromising or taking over a target) Google only found two hackers willing and capable of winning its $60,000 prize and gave out only a small fraction of its $1 million bounty.
Even with $60,000 rewards, it’s not clear that hackers able to take Chrome apart will come forward to claim the prizes. Google’s bounties likely can’t match the sums offered by government intelligence and law enforcement agencies who buy similarly rare exploits with the intention of using them for spying on and tracking targets rather than helping software vendors fix their security flaws.
At the Vancouver conference where Google’s last Pwnium competition was held, for instance, French security firm Vupen demonstrated an exploit for Chrome at the simultaneous Pwn2Own competition, which unlike Google’s contest doesn’t require hackers to share all the details of their methods. Vupen’s chief executive Chaouki Bekrar told me that he had no intention of participating in Google’s competition if it meant revealing an exploit it could instead keep secret and sell to its government customers. “We wouldn’t share this with Google for even $1 million,” he said at the time.
In his Twitter feed Wednesday, Bekrar suggested that a bigger total reward pool wouldn’t convince Vupen to share its tricks with Google.
“Pwnium 2!” he wrote. “Expect me on Forbes saying: ‘We won’t give our pwn even for $2 millions.”