Google has $2 million earmarked for cash prizes for discovering vulnerabilities, as part of its security program. Full Chrome exploits, like Pinkie Pie’s, earn $60,000 each.
“The aim of our sponsorship is simple: we have a big learning opportunity when we receive full end-to-end exploits,” Google noted. “Not only can we fix the bugs, but by studying the vulnerability and exploit techniques we can enhance our mitigations, automated testing, and sandboxing. This enables us to better protect our users.”
The company added: “Developing a fully functional exploit is significantly more work than finding and reporting a potential security bug.”
Pinkie Pie’s success was submitted as part of the Hack in the Box conference. According to Google, the hack involves the following exploit:
[$60,000][154983][154987] Critical CVE-2011-2358: SVG use-after-free and IPC arbitrary file write. Credit to Pinkie Pie.
Google is reserving other details until most users have been patched.
As the hacker’s trailblazing indicates, Chrome has not yielded much fruit in the way of vulnerabilities. Ironically, that’s what has spurred Google’s rewards program. “The fact is that not receiving exploits means that it’s harder to learn and improve,” Google said back in February when unveiling the program. “To maximize our chances of receiving exploits this year, we’ve upped the ante. We will directly sponsor up to $1 million worth of rewards”
The $60,000 prize is reserved for full Chrome exploits, those in “Chrome / Win7 local OS user account persistence using only bugs in Chrome itself.” Hackers also can win $40,000 for a Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows sandbox bug would qualify.
Google also rewards incomplete exploits, depending on how instructive they are. $20,000 goes for “consolation rewards,” for discovering bugs in Flash, Windows or a driver that impacts everyone, including Chrome users.
“These exploits are not specific to Chrome and will be a threat to users of any web browser. Although not specifically Chrome’s issue, we’ve decided to offer consolation prizes because these findings still help us toward our mission of making the entire web safer,” the search engine giant noted.
This is Pinkie Pie’s second win: In March, the hacker also earned $60,000 in the first Pwnium competition by chaining together six vulnerabilities in order to escape Chrome’s sandbox.