On Monday Google said it is now shelling out up to $1 million worth of rewards for anyone who can crack open its Chrome web browser.
According to Chris Evans and Justin Schuh of the Google Chrome Security Team, the biggest cash prize of $60,000 will go to those who discover a "full Chrome exploit" using bugs found only within Chrome itself. $40,000 will be awarded to those who perform a partial Chrome exploit using at least one Chrome bug plus other OS bugs (a WebKit bug combined with a Windows sandbox bug, for example).
"Originally, our plan was to sponsor as part of this year’s Pwn2Own competition," the Google Chrome Security team said on Monday. "Unfortunately, we decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits (or even all of the bugs used!) to vendors. Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome."
Thus, Google is now offering rewards for hacking its web browser outside the Pwn2Own competition. In addition to the Full Chrome Exploit and Partial Chrome Exploit categories, Google will also offer $20,000 to those who fall under the "Consolation reward, Flash / Windows / other" category, or rather, those who discover bugs that could threaten users in any browser including bugs in one or more of Flash, Windows or a device driver.
The team said Google is offering consolation prizes because these findings help propel the company's overall mission to make the entire web safer to crawl no matter what browser is used.
"We will issue multiple rewards per category, up to the $1 million limit, on a first-come-first served basis," the blog reads. "There is no splitting of winnings or 'winner takes all.' We require each set of exploit bugs to be reliable, fully functional end to end, disjoint, of critical impact, present in the latest versions and genuinely '0-day,' i.e. not known to us or previously shared with third parties. Contestant’s exploits must be submitted to and judged by Google before being submitted anywhere else."
All winners will also receive a Chromebook, the team said.