The attack must be demonstrated against a base (Wi-Fi) model of the Samsung Series 5 550 Chromebook, running the latest stable version of Chrome OS. Any installed software may be used to attempt the attack. Google is also accepting exploits found via a virtual machine.
The Google Chrome browser, meanwhile, is already featured in HP’s Zero Day Initiative (ZDI)’s Pwn2Own competition this year, which is partially underwritten by Google. Both competitions will be held at the CanSecWest security conference taking place March 6–8 in Vancouver.
“Security is one of the core tenets of Chrome, but no software is perfect, and security bugs slip through even the best development and review processes,” the company said in a blog. “That’s why we’ve continued to engage with the security research community to help us find and fix vulnerabilities.”
For Pwnium 3, Google is offering $110,000 for a browser or system level compromise in guest mode or as a logged-in user, delivered via a web page, and $150,000 for a compromise with device persistence (guest to guest with interim reboot), delivered via a web page. Previously it was awarding $60,000 per exploit, up to $2 million.
Winners must deliver a full exploit plus accompanying explanation and breakdown of individual bugs used. Exploits should be served from a password-authenticated and HTTPS-supported Google property, such as Google App Engine.
Google said that the increased moolah is an acknowledgment of the difficulty of the task: “We believe these larger rewards reflect the additional challenge involved with tackling the security defenses of Chrome OS, compared to traditional operating systems,” it said.
Chrome was last pwned in a public forum by teen hacker Pinkie Pie, who received a $60,000 reward at the first Pwnium in March 2012, and another $60,000 prize from Google last fall, for launching a full Chrome exploit. It remains to be seen if he can do it again, for the bigger purse.
Google is happy to pay up, it said. “The aim of our sponsorship is simple: we have a big learning opportunity when we receive full end-to-end exploits,” Google noted at Pwnium 2. “Not only can we fix the bugs, but by studying the vulnerability and exploit techniques, we can enhance our mitigations, automated testing, and sandboxing. This enables us to better protect our users.”
The company added: “Developing a fully functional exploit is significantly more work than finding and reporting a potential security bug.”
Google also rewards incomplete exploits – depending on how instructive they are – for discovering bugs in Flash, Windows or a driver that impacts everyone, including Chrome users.