Google is offering a bounty of $20,000 to the first person who hacks Chrome, effectively inviting hackers to go to town.
The prize is part of the 2011 Pwn2Own contest, which will see hackers from around the world try to find exploits in the leading web browsers.
Prizes of $15,000 are on offer for those who breach the security of Internet Explorer, Firefox and Safari, a $5,000 increase on prizes offered the year prior. A laptop will also be awarded.
Google is offering a larger prize of $20,000 and a CR-48 laptop. It employs a “sandbox” technique for preventing malware from escaping the web browser to infect the computer, which is a much more secure approach than the main rival browsers.
Hackers will only have the launch day of the contest to claim the Google bounty and two exploits need to be found in Google's code to qualify. They must also be able to escape the sandbox feature, which Google is clearly betting isn't possible.
$20,000 can still be won if an exploit is found on the second or third day, but only half of this will come from Google, with Pwn2Own sponsor TippingPoint handing over the other $10,000. Requirements for winning on these two days are also less strict, allowing for non-Chrome bugs.
A similar bounty was offered for the last two year's Pwn2Own contests, but no one managed to break through Chrome's defences in this period. It remains to be seen what will happen for 2011.
A $15,000 bounty is also on offer for anyone who hacks the Dell Venue Pro running Windows 7, iPhone 4 running iOS, Blackberry Torch 9800 running Blackberry 6 OS or Nexus S running Android. A copy of the phone and a few other things will also be thrown in as part of the prize.
Contest details are here.
.jpg){kind=icon}
In principle it's a good exercise. Corporations should put their money where their mouth is. Google probably will have to pay out at some point. It's only a few weeks since they fixed eleven important security vulnerabilities in the latest version of their Chrome web browser -- "three critical, seven high-risk, and one medium":
http://bit.ly/dUEnxk
It troubles me that Google presumably knew about and quietly sat on these, for their own convenience, until they had all been fixed -- rather than prioritising or releasing each fix ASAP.
Chrome is nowhere near as popular as IE, so it's a good way of trying to give Chrome the levels of scrutiny already enjoyed by IE.
I would have been more impressed by a $20 million prize.