Tag: Pwnium

Pwnium 2

Pwnium 2

 After the success of the first Pwnium competition held earlier this year, Google has announced the second Pwnium competition; in this Pwnium 2, Google had increased its bug bounty offering to security researchers.

This time it’s putting a total of $2 million in rewards on the table for anyone who can find bugs in its browser, exploit them, and tell Google’s security team the details of their techniques.

The Pwnium 2 will be held on Oct 10th, 2012 at the Hack In The Box 10 year anniversary conference in Kuala Lumpur, Malaysia.

Google is offering up to $60,000 for a single working Chrome exploit. While several other companies including Mozilla, PayPal and Facebook offer bug bounties, none publicly offers such a high sum.

This time, Google sponsoring up to $2 million worth of rewards at the following reward levels:

  • $60,000: “Full Chrome exploit”: Chrome / Win7 local OS user account persistence using only bugs in Chrome itself. 
  • $50,000: “Partial Chrome exploit”: Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows kernel bug. 
  • $40,000: “Non-Chrome exploit”: Flash / Windows / other. Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver. 
  • $Panel decision: “Incomplete exploit”: An exploit that is not reliable, or an incomplete exploit chain. For example, code execution inside the sandbox but no sandbox escape; or a working sandbox escape in isolation. For Pwnium 2, Google want to reward people who get “part way” as we could definitely learn from this work. Google rewards panel will judge any such works as generously as they can. 

Exploits should be demonstrated against the latest stable version of Chrome. Chrome and the underlying operating system and drivers will be fully patched and running on an Acer Aspire V5-571-6869 laptop (which we’ll be giving away to the best entry.) Exploits should be served from a password-authenticated and HTTPS Google property, such as App Engine. The bugs used must be novel i.e. not known or fixed on trunk. 

source: ehackingnews, google

Pwnium: rewards for exploits

Google’s Giving $60,000 to Whoever Can Exploit Chrome :

Google has offered prizes, totalling $1 million, to those who successfully hack the Google Chrome browser at the Pwn2Own hacker contest taking place today i.e. 7March 2012. Chrome is the only browser in the contest’s six year history to not be exploited like at all. 

Therefore Google will hand out prizes of $60,000, $40,000, and $20,000 for contestants able to remotely commandeer a fully-patched browser running on Windows 7. Finding a “Full Chrome Exploit,” obtaining user account persistence using only bugs in the browser itself will net the $60k prize. Using webkits, flash, or a driver-based exploit can only earn the lesser amounts.

Prizes will be awarded on a first-come-first-serve basis, until the entire $1 million has been claimed. While we’re proud of Chrome’s leading track record in past competitions, the fact is that not receiving exploits means that it’s harder to learn and improve,” said Chris Evans and Justin Schuh, members of the Google Chrome security team. 

To maximize our chances of receiving exploits this year, we’ve upped the ante. We will directly sponsor up to $1 million worth of rewards.”  Pwn2Own isn’t the only time researchers can be paid for digging up security flaws in Chrome. Like other companies including Mozilla and Facebook, Google offers “bug bounties” to researchers, and its flaw-buying program has given out more than $300,000 in payments over the last two years.

source:thehackernews,blog.chromium