Google puts $1M on the line for Chrome exploit rewards

Google on Monday withdrew as a sponsor of next month’s Pwn2Own hacking contest, and will instead put as much as $1 million up for grabs if researchers can exploit Chrome.

The company will run its own exploit challenge at the CanSecWest security conference, the venue for Pwn2Own, because it objected to what it said was a change in the rules by contest organizer and prime sponsor, HP TippingPoint’s bug-bounty program, Zero Day Initiative (ZDI).

“We decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits, or even all of the bugs used, to vendors,” said Chris Evans and Justin Schuh, two members of the Chrome security team, in a Monday post to the Chromium blog . “Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome.”

Pwn2Own’s rules say nothing about not handing over complete exploits or all bugs to vendors at the close of the contest, but a Jan. 23 tweet by ZDI said, “To clarify, if a team demonstrates 0day at Pwn2Own 2012, but doesn’t end up as a winner, the vuln[nerability] is still theirs and will not be reported.”

Previously, Google had promised to pay $20,000 to any researcher who managed to exploit Chrome by leveraging browser-only flaws, and $10,000 for a “partial” exploit that relies on a bug in Chrome in addition to a bug in the operating system.

Because Chrome is “sandboxed”—an anti-exploit technology that isolates malware—a hack of the browser typically requires two or more exploits. The first is necessary to get attack code out of the sandbox, and the second is needed to actually exploit a Chrome vulnerability and plant malware on the machine.

But Google is ditching that $20,000 maximum scheme, and will put up to $1 million on the line at CanSecWest, said Evans and Schuh.

“We’ve upped the ante,” said the engineers.

For what they called a “full Chrome exploit”—one that successfully hacks Chrome on Windows 7 using only vulnerabilities in Chrome itself—Google will pay $60,000, which is equivalent to Pwn2Own’s top prize for that three-day contest.

A partial exploit that uses one bug within Chrome and one or more others—perhaps in Windows—earns a researcher $40,000. Finally, Google will pay $20,000 for “consolation” exploits that hack Chrome without using any vulnerabilities in the browser itself.

The only limit Google has put on the challenge is a maximum total payout of $1 million. “We will issue multiple rewards per category, up to the $1 million limit, on a first-come-first served basis,” said Evans and Schuh.

For the bigger rewards, Google will require more from researchers, who must demonstrate that the bug(s) are reliably exploitable, of critical impact and true “zero-days” that are unknown to Google and have not been shared with any third parties. Both the vulnerabilities used as well as the full exploit must be handed over to Google so that it can, as Evans and Schuh said, “Enhance our mitigations, automated testing, and sandboxing.”

Google’s rules also effectively eliminate that few if any working Chrome exploits will be used in Pwn2Own. “Contestant’s exploits must be submitted to and judged by Google before being submitted anywhere else,” said Evans and Schuh.

Although HP TippingPoint was not available late Monday for comment on Google’s departure from Pwn2Own, a Twitter exchange sounded like the split was amicable.

“Nice to see over that after 5 years of Pwn2Own vendors are finally stepping up and offering big $ for vuln[erabilities],” said Aaron Portnoy , the leader of TippingPoint’s security research team and the organizer of Pwn2Own.

The difference in TippingPoint’s and Google’s goals—the former seeks vulnerabilities it can add to its intrusion prevention system appliances, the latter wants exploits it can examine—appeared to be behind the latter’s decision to bail out of Pwn2Own.

“We want to study full end-to-end exploits, not just the bugs but also the techniques,” said Evans, also on Twitter .

Google tacitly acknowledged that the money it has offered at previous Pwn2Owns—$20,000 last year, $10,000 in 2010—had not been enough to shake Chrome bugs and exploits from the researcher tree.

“While we’re proud of Chrome’s leading track record in past competitions, the fact is that not receiving exploits means that it’s harder to learn and improve,” said Evans and Schuh in the Monday blog post.

Chrome’s record at Pwn2Own has been impressive: No researcher has been awarded prize money for exploiting Google’s browser at the contest. Apple’s Safari, Microsoft’s Internet Explorer and Mozilla’s Firefox—the other browser targets—have all been hacked one or more times.

It’s possible that that may change this year.

French security firm Vupen, which took home $15,000 at last year’s Pwn2Own for exploiting Safari, plans to bring at least one Chrome zero-day to CanSecWest. Last week, Chaouki Bekar, Vupen’s CEO and head of research, said that a team from his company would be at Pwn2Own; earlier he had claimed Vupen had zero-days for not only Chrome, but also Firefox, IE and Safari.

Vupen’s appearance at Google’s CanSecWest table could be awkward: Last May, the French company boasted it had figured out a way to hack Chrome by sidestepping the browser’s sandbox and evading Windows 7’s own anti-exploit technologies.

Google was unable to verify the claim because Vupen does not report flaw to vendors.

Any vulnerabilities in non-Chrome code revealed by money winners will be turned over to the appropriate vendor, Evans and Schuh promised.

CanSecWest, Pwn2Own and Google’s exploit-reward program will take place in Vancouver, British Columbia, March 7-9.

This story, "Google puts $1M on the line for Chrome exploit rewards" was originally published by Computerworld.

Shop Tech Products at Amazon