Google are following the growing trend of rewarding hackers for finding bugs in their code by holding the Pwnium security challenge at next week’s CanSecWest conference in Vancouver.
On Monday Google announced that it would pay cash awards from a fund of $1 million to anyone who can hack the Chrome browser. Google has pledged to pay multiple awards in the value of $60,000, $40,000 and $20,000, depending on the severity of the exploits, up to $1 million. Successful hackers will also win a Chromebook.
Writing on its blog, Google said: “We require each set of exploit bugs to be reliable, fully functional end to end, disjoint, of critical impact, present in the latest versions and genuinely ’0-day,’ i.e. not known to us or previously shared with third parties.”
The rewards criteria are detailed as follows on the Chromium Blog:
$60,000 – “Full Chrome exploit”: Chrome / Win7 local OS user account persistence using only bugs in Chrome itself.
$40,000 – “Partial Chrome exploit”: Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows sandbox bug.
$20,000 – “Consolation reward, Flash / Windows / other”: Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver. These exploits are not specific to Chrome and will be a threat to users of any web browser. Although not specifically Chrome’s issue, we’ve decided to offer consolation prizes because these findings still help us toward our mission of making the entire web safer.
This is not the first time a company has rewarded hackers for finding faults with their products – in the Summer of 2011 Facebook ran a similar programme, and even admitted that it acts as a recruitment process in some cases.