# Google ups ante for Chrome hack at revamped Pwn2Own



## Glaswegian (Sep 16, 2005)

Pwn2Own hacking contest winners will receive a first prize of $60,000 this year - four times 2011's top reward - as organisers TippingPoint dramatically revamped the challenge.

Google will also significantly increase the money it potentially will pay to people able to hack its Chrome browser.

Pwn2Own will take place over a three-day stretch in early March at the Vancouver, British Columbia-based CanSecWest security conference.

Four desktop browsers - the most up-to-date editions of Chrome, Apple's Safari, Microsoft's Internet Explorer and Mozilla's Firefox - will feature as this year's targets, said Aaron Portnoy, the leader of TippingPoint's security research team and the organiser of Pwn2Own.

Rather than take a target off the table when the first researcher manages an exploit - as has been done at past Pwn2Owns - this year the contest will use a point schedule that lets everyone try their hand.

More importantly, researchers will be challenged to devise exploits on the spot.

"The first morning of the contest we'll announce two vulnerabilities per target that have been patched and give researchers a basic proof-of-concept," said Portnoy. "Until now, Pwn2Own has never been much of spectator sport."

The on-site exploit writing should change that, as researchers or teams of researchers will be awarded 10 points per hack on the first day, nine points on the second and eight points on the third.

While those scores will be much less than the 32 points awarded for each new browser "zero-day" - or previously unpatched - vulnerability revealed and exploited at Pwn2Own, they make it possible, said Portnoy, for someone to win the big money by adding one or more on-site exploits to the zero-day(s) they bring with them.

The on-site exploits will take aim at older versions of the four browsers that were available during 2011. Microsoft's Internet Explorer 8 (IE8) will likely be one of the targets, for instance.

The top-scoring researcher or team will take home $60,000, triple the maximum Pwn2Own has given in the past. The second-place prize will be $30,000, and third place will collect $15,000.

Last year, the biggest cash prize was $15,000, which went to the first researcher able to hack one of the desktop or mobile browsers put in the spotlight.

Among the other changes, said Portnoy, is the elimination of the random drawing that decided the order in which researchers took on targets.

"That really wasn't fair to competitors," said Portnoy, noting that the first in line had a decided advantage because once exploited, a browser was removed from the contest.

"We won't have any winners until end the end of the third day," Portnoy added.

Stretching out the contest and offering points for on-the-scene exploits will also distance Pwn2Own from headlines that Portnoy called "sensationalist."

Because researchers came armed with zero-day vulnerabilities they had found earlier, along with exploits created before the contest, media reports often focused on the short time it took a hacker to break a browser.

Google will also reprise its promise to pay $20,000 for Chrome exploits, said Portnoy.

Last year, Google said it would pay that amount to the first researcher who successfully exploited Chrome using vulnerabilities in Google's own code. In 2011, it also said it would pay $10,000 to any researchers who employed a non-Chrome bug, say one in Windows, to break out of the browser's sandbox.

This year, Google will pony up $20,000 to any researcher who manages to exploit Chrome by leveraging Google-only flaws. "Google will pay $20,000 each to any researchers who demonstrate vulnerabilities in Google's code," said Portnoy.

In other words, if six different researchers hack Chrome using six different sets of Google-exposed vulnerabilities, the search giant will be on the hook for $120,000.

What Portnoy called a "partial" exploit will earn a researcher $10,000. "A partial Chrome hack uses a bug in Chrome in addition to a bug in the operating system," said Portnoy.

Because Chrome is "sandboxed" - the label for an anti-exploit technology that isolates malware - a hack of the browser typically requires two or more exploits. The first is necessary to get attack code out of the sandbox, and the second is needed to actually exploit a Chrome vulnerability and plant malware on the machine.

Any money paid out by Google will be above and beyond the three cash prizes given by TippingPoint.

Google's money may be safe: Chrome has never been exploited at Pwn2Own .

No other browser maker has stepped forward with a similar offer for this year's contest, Portnoy confirmed.

TippingPoint today posted the revised contest rules on its website, and will release news during the challenge from a special Twitter account .


Google ups ante for Chrome hack at revamped Pwn2Own - Techworld.com


----------

