Google is offering up to $1 million in total bounties for hackers who can find security exploits in its Chrome browser. There’s no better way for the Chrome team to shore up security problems than by inviting people to point them out. The contest will convene at Chrome’s table at the CanSecWest security conference from March 7-9.
There are three tiers of rewards, all for bugs in the Windows environment. A full exploit of bugs in Chrome itself will net you $60,000, a partial exploit that combines a Chrome bug with other bugs gets $40,000, and the consolation prize is $20,000 an exploit of Chrome using bugs in Flash, Windows or something else. All winners also get a Chromebook.
From the Chromium blog:
$60,000 – “Full Chrome exploit”: Chrome / Win7 local OS user account persistence using only bugs in Chrome itself.
$40,000 – “Partial Chrome exploit”: Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows sandbox bug.
$20,000 – “Consolation reward, Flash / Windows / other”: Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver. These exploits are not specific to Chrome and will be a threat to users of any web browser. Although not specifically Chrome’s issue, we’ve decided to offer consolation prizes because these findings still help us toward our mission of making the entire web safer.
The budget for winners is $1 million, and Google will pay out as many rewards as it can on a first-come-first-served basis until the money expires. All submissions must be judged by Google before they’re submitted anywhere else.
Google planned to offer Chrome as one of the target browsers in the conference’s Pwn2Own contest, as it did last year. It withdrew that sponsorship after learning that contestants didn’t have to reveal their exploits or bugs to vendors in order to enter. So this year, Chrome offers its own contest, and it promises to send bugs found in software other than Chrome to the vendor immediately.