Google Chrome Hack Contest Offers Up to $1M at CanSecWest Security Conference

Think you can hack the Google Chrome browser?

You could win $1 million in cold, hard cash.

Google's Chrome security team has announced it's offering cash rewards totaling up to $1million in exchange for demonstrated exploits of the Google Chrome browser. The rewards will be presented at Google's Pwnium competition at the CanSecWest security conference in Vancouver March 7-9.

Rewards are maxed out at $60,000 for a full Chrome exploit that uses only bugs in Chrome itself in order to gain access to Windows 7 user permissions or local OS user account persistence as it's described on the official Chromium Blog post.

Google will give $40,000 to any partial Chrome exploit described as getting access to Windows 7 permissions using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows sandbox bug, says the official blog post.

Google will give $20,000 as a consolation reward to anyone that's able to exploit Chrome in Flash or Windows only. For example, bugs in one or more of Flash, Windows or a driver. These exploits are not specific to Chrome and will be a threat to users of any web browser. Although not specifically Chrome's issue, we've decided to offer consolation prizes because these findings still help us toward our mission of making the entire web safer, says the official blog post.

All winners will also receive a Chromebook.

The rules are made clear on the company blog:

We will issue multiple rewards per category, up to the $1 million limit, on a first-come-first served basis. There is no splitting of winnings or winner takes all. We require each set of exploit bugs to be reliable, fully functional end to end, disjoint, of critical impact, present in the latest versions and genuinely 0-day, i.e. not known to us or previously shared with third parties. Contestant's exploits must be submitted to and judged by Google before being submitted anywhere else.

Google was originally going to sponsor Pwn2Own competition, which is also at the CanSecWest security conference. Google withdrew its sponsorship after discovering that contestants are allowed to enter Pwn2Own without having to reveal full exploits or even the bugs used to the vendors. The Chromium team describe Pwn2Own's policies as worrisome and said that We will therefore be running this alternative Chrome-specific reward program. It is designed to be attractive -- not least because it stays aligned with user safety by requiring the full exploit to be submitted to us. We guarantee to send non-Chrome bugs to the appropriate vendor immediately.