Having recently complained that the notifications of Chrome bugs has somewhat dropped and hinting that Chrome hackers may lose interest in finding new bugs, Google has stepped up not only its bug rewards, but also its Pwnium prize money.
In Pwnium 2, you can participate in the following categories (from the Pwnium 2 blog post):
- $60,000: “Full Chrome exploit”: Chrome / Win7 local OS user account persistence using only bugs in Chrome itself.
- $50,000: “Partial Chrome exploit”: Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows kernel bug.
- $40,000: “Non-Chrome exploit”: Flash / Windows / other. Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver.
- $Panel decision: “Incomplete exploit”: An exploit that is not reliable, or an incomplete exploit chain. For example, code execution inside the sandbox but no sandbox escape; or a working sandbox escape in isolation. For Pwnium 2, we want to reward people who get “part way” as we could definitely learn from this work. Our rewards panel will judge any such works as generously as we can.
Sure, to collect the $2 million, there is quite a bit of work and luck involved, but even if you just succeed in one of the two top categories, you are likely to walk away with more money in your pocket than the average American household earns in an entire year.
Pwnium 2 will be held on October 10 at the Hack In The Box conference in Kuala Lumpur, Malaysia.