Google said it will pay up to $2 million for major vulnerabilities in its Chrome browser at a second Pwnium hacking contest this fall.
Pwn2Own, a rival contest sponsored by Hewlett-Packard, will award as much as $200,000 in a mobile-specific challenge slated to run several weeks earlier.
Google's Pwnium 2 will take place at the Hack In The Box security conference on Oct. 10 in Kuala Lumpur, Malaysia.
This time, Google will be sponsoring up to $2 million worth of rewards at the following reward levels:
- $60,000: "Full Chrome exploit": Chrome / Win7 local OS user account persistence using only bugs in Chrome itself.
- $50,000: "Partial Chrome exploit": Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows kernel bug.
- $40,000: "Non-Chrome exploit": Flash / Windows / other. Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver.
- $Panel decision: "Incomplete exploit": An exploit that is not reliable, or an incomplete exploit chain.
Exploits should be demonstrated against the latest stable version of Chrome. Chrome and the underlying operating system and drivers will be fully patched and running on an Acer Aspire V5-571-6869 laptop (which Google will be giving away to the best entry.) Exploits should be served from a password-authenticated and HTTPS Google property, such as App Engine. The bugs used must be novel i.e. not known to us or fixed on trunk. Please document the exploit.