With $3.14159 million in prize money at stake, Google’s Chrome OS has withstood attempts to hack it in the company’s semi-annual Pwnium contest in Vancouver, a Google spokeswoman told The Security Ledger.
In a statement Thursday, Google spokeswoman Jessica Kositz said that the company did not receive any winning entries during the day-long contest, but that the company is evaluating work that may qualify for a partial prize: a potentially infinite series of Google Wallet transfers in the amounts: $1 followed by $.50 followed by $.25 followed by $.125 and so on.
OK – We made that last part up.
Pwnium runs alongside the better known pwn2own contest at CanSecWest. This year, Google is providing funding for both contests. However, in 2012 the company pulled its support for pwn2own, objecting to the lack of a requirement of “responsible disclosure” – in which entrants must disclose the details of their exploits to the affected company. In contrast to pwn2own, Pwnium contestants divulge the details of the vulnerabilities they have discovered and working exploits to Google in exchange for richer prizes.
“Working with the security community is one of the best ways we know to keep our users safe, so we’re grateful to the researchers who take the time to help us in these efforts,” Google said.
Google announced the huge new pot in January, setting aside $Π million to vulnerability experts who could bring the company remotely exploitable holes affecting its Chrome OS. Google promised to pay $110,000 for a browser or system level compromise delivered via a web page to a Chrome user in guest mode or logged in and $150,000 for any compromise that delivers “device persistence” delivered via a web page, the company announced on the chromium blog.
“We believe these larger rewards reflect the additional challenge involved with tackling the security defenses of Chrome OS, compared to traditional operating systems,” wrote Chris Evans of Google’s Security Team.
But the company didn’t make the job easy. Chrome’s native security features pose a considerable challenge to hackers under normal circumstances. Then, on Monday, Google released an update fixing 10 vulnerabilities in Chrome – five of them rated “High.” Any of those might have contributed to a hack that would warrant a six figure payout under Pwnium’s rules. Instead, Google paid between $1,000 and $2,000 for each vulnerability to the researcher responsible for disclosing it to the company.
Pwnium 3 took place at the CanSecWest Security Conference in Vancouver, British Columbia, Canada on Thursday. In the company’s last Pwnium contest, held at the Hack in the Box Conference in October, just one prize was claimed: a $60,000 pay-out to a hacker who goes by the handle “Pinkie Pie.” The winning attack required Pinkie Pie to chain together six, separate exploits in order to break Chrome’s security. A promised demonstration of a Chrome zero day at the Indian hacker conference Malcon in November never happened.
The competing pwn2own contest had more comers, with $500,000 in prize money doled out to researchers from the french firm VUPEN and others, including prizes for two zero-day flaws in Microsoft’s Internet Explorer browser that were used to break into a fully patched Windows 7 SP1 machine.