Google has announced a radical shake-up of its annual Pwnium Chrome hacking contest which will make the competition a year-round affair and push the prize money on offer up to a theoretical “$∞ million,” according to the web giant.
The contest, now in its fifth year, has up until now been held at an annual day-long event at CanSecWest where researchers were able to present their exploits and vie for a share of $2.7m in cash prizes (as of 2014).
However, hacker philanthropist Tim Willis of the Google Chrome Security Team, explained that the changes were being made to remove barriers to entry.
“At Pwnium competitions, a security researcher would need to have a bug chain in March, pre-register, have a physical presence at the competition location and hopefully get a good timeslot,” he said in a blog post.
“Under the new scheme, security researchers can submit their bugs year-round through the Chrome Vulnerability Reward Program (VRP) whenever they find them.”
Willis added that the new year-long competition rules would remove the incentive for some to hoard bugs until the Pwnium event.
“This [hoarding] is a bad scenario for all parties. It’s bad for us because the bug doesn’t get fixed immediately and our users are left at risk,” claimed Willis.
“It’s bad for them as they run the real risk of a bug collision. By allowing security researchers to submit bugs all year-round, collisions are significantly less likely and security researchers aren’t duplicating their efforts on the same bugs.”
He added that most of the researchers who contribute to Pwnium fed back to Google that they’d prefer a year-long competition.
However, for those excited by the headline news that Google will be upping the total rewards on offer to “infinity dollars” – Willis clarified that the top reward amount would be increased to just $50,000.
He added:
“Our lawyercats wouldn’t let me say ‘never-ending’ or ‘infinity million’ without adding that ‘this is an experimental and discretionary rewards program and Google may cancel or modify the program at any time.’ Check out the reward eligibility requirements on the Chrome VRP page.”
Security experts largely welcomed Google’s announcement.
“This is wonderful news and all about the larger strategy of the security process,” Lancope CTO TK Keanini told Infosecurity.
“For every flaw found and fixed, it makes it that much harder for the adversaries. I applaud Google for directing the talent in a way that helps everyone be more secure.”
Mark James, security specialist at Eset, said the new competition rules would benefit the industry as a whole.
“Bug bounties are always going to be an area open for discussion or argument but the bottom line is that they really can make us more secure,” he told Infosecurity.
“Opening this up as an all year round event is great publicity of course for Google. But I think it is even better for the participants who can earn a good amount of cash for applying their wealth of skills and could well lead to some of those individuals realizing their skills and earning themselves a wage rather than moving over to the dark side and ending up being the bad guys.”
Imperva CTO, Amichai Shulman, added that there may be an ulterior motive for the changes to the way Pwnium works.
“They do provide in their post all the right reasons for taking this new model,” he told Infosecurity.
“Plus, there’s one reason they do not mention – if a vulnerability is disclosed at the Pwnium day, it immediately gains publicity. If it is disclosed silently through this process it provides Google more control over the mitigation schedule.”