On Wednesday, the company announced plans for Pwnium 2, a Competition that will pay $60,000 for hacks that fully exploit its Chromium browsers.
The competition, scheduled for October 10 at the Hack In The Box security conference in Malaysia, will honor smaller amounts for Chrome aggresses that rely on computer code not native to the browser. E.g., a “partial Chrome exploit,” specified as one that merges a bug in Chrome’s native code base with a bug in Windows, will be awarded $50,000. A “non-Chrome exploit” in Adobe Flash, Windows or other app will bring in $40,000.
“You may have noticed that we’ve compressed the reward levels closer together for Pwnium 2,” Google software engineer Chris Evans wrote in Wednesday’s blog post. “This is in response to feedback, and reflects that any local account compromise is very serious. We’re happy to make the web safer by any means—even rewarding vulnerabilities outside of our immediate control.”
Google will honor prizes until the $2 million threshold is gained. The company paid just $120,000 worth of accolades during the first Pwnium competition in March.
Although the quantity was only 12 percent of the $1 million it pledged, the contest ensued in two exploits that were remarkable because they relied altogether on code native to Chrome to break away from its highly regarded security sandbox.
The mechanics contain JavaScript, HTML and other web content within a tightly limited perimeter to prevent it from hijacking sensitive OS functions such as modifying registry settings or accessing user information.