If you are a talented aspiring hacker that looking for challenges (and for money), the next post is for you. Google is offering rewards of up to $1 million (one million dollars) to people who will find security bugs in the Chrome browser.
Two weeks from now, the CanSecWest security conference will take place in Vancouver (between March 7th-9th). Over the last years, part of the conference is the yearly Pwn2Own hacking contest which challenges hackers to try breach for the top web browsers such as Internet Explorer, Firefox, Safari and Chrome.
For the last three years, the Chrome browser remained the only browser unbreached, which naturally divert the hacker’s attention into other browsers which were easier to find security bugs at. So this year Google decided to offer people the best incentive to try finding security bugs on Chrome: Money. A lot of money.
Google has announced that it will run its own contest this year, offering three kind of awards for the winners during the contest (in addition to a Chromebook):
- Consolation Reward- $20,000 for finding security bugs that affects all browsers and doesn’t necessarily relates to Chrome, for example bugs in Windows or Flash.
- Partial Chrome Exploit- $40,000 for finding security bugs in Chrome alongside complementary security bugs of other mechanisms like operating systems.
- Full Chrome Exploit- $60,000 for finding security bugs only on Chrome.
Google will keep granting the rewards to the hackers that will find the different security bugs until the total amount will reach for $1 million. There’s no limit for the number of bugs each hacker can find, therefore theoretically a person could win up to $1 million (although it most probably wouldn’t happen).
Why is Google so generous? It is a great way for them to find security bugs in their browser in a safe and supervised environment by the hands of gifted, enthusiastic (and greedy) hackers. It is much better than to get caught with your pants down publicly without any control. As stated by Chrome’s Security Team:
“Not only can we fix the bugs, but by studying the vulnerability and exploit techniques we can enhance our mitigations, automated testing, and sandboxing. This enables us to better protect our users.”
Note that unlike the prior contests, Google will run this year its own program and will NOT sponsor the Pwn2Own program. The reason is that this year, the Pwn2Own doesn’t requires from the winners to reveal the exact details of how they hacked, which is essentially contradicting Google’s whole purpose for the contest.
These are definitely good times to be a (good) hacker. There are so many competitions by the top tech companies like this one and Facebook’s Hacker Cup, so you can earn real nicely and more important, legitimately. It’s like, you don’t really need to be a hacker (Catch-22?)…