Google has offered prizes, totalling $1 million, to those who successfully hack the Google Chrome browser, as the internet giant turns to hackers to find weaknesses in its browser to bolster its security.
The prizes will be offered at a US-based hacking contenthe Pwn2Own hacker contest taking place next week.
Chrome is the only browser in the contest’s six year history to not be exploited like at all.
Google will hand out prizes of $60,000, $40,000, and $20,000 for contestants able to remotely commandeer a fully-patched browser running on Windows 7.
Finding a “Full Chrome Exploit,” obtaining user account persistence using only bugs in the browser itself will net the $60k prize.
Using webkits, flash, or a driver-based exploit can only earn the lesser amounts.
Prizes will be awarded on a first-come-first-serve basis, until the entire $1 million has been claimed. “While we’re proud of Chrome’s leading track record in past competitions, the fact is that not receiving exploits means that it’s harder to learn and improve,” said Chris Evans and Justin Schuh, members of the Google Chrome security team.
“To maximize our chances of receiving exploits this year, we’ve upped the ante. We will directly sponsor up to $1 million worth of rewards.” Pwn2Own isn’t the only time researchers can be paid for digging up security flaws in Chrome.
Like other companies including Mozilla and Facebook, Google offers “bug bounties” to researchers, and its flaw-buying program has given out more than $300,000 in payments over the last two years.
While both Safari and IE collapsed under the pressure from hackers at last year’s Pwn2Own contest, not one person was able to crack Chrome.
“While we’re proud of Chrome’s leading track record in past competitions, the fact is that not receiving exploits means that it’s harder to learn and improve,” wrote members of the Google Chrome security team in a post on Monday. “To
maximize our chances of receiving exploits this year, we’ve upped the ante. We will directly sponsor up to $1 million worth of rewards.”
The company will not, however, sponsor the contest itself as it has in year’s past. Google pulled its support after finding that recent rule changes allowed hackers to claim prize money without actually revealing the inner workings of the exploit to vendors.