In a move with perfect timing considering the number of Chromebooks that Google sold over the holidays (hint: a lot), the company has announced its third Pwnium hacking competition, which will have a new focus: the Chrome OS. In all, the browsing behemoth plans to award up to $3.14 million in winnings to those who can produce full exploits.
The attack must be demonstrated against a base (Wi-Fi) model of the Samsung Series 5 550 Chromebook, running the latest stable version of Chrome OS. Any installed software may be used to attempt the attack. Google is also accepting exploits found via a virtual machine.
The Google Chrome browser, meanwhile, is already featured in HP’s Zero Day Initiative (ZDI)’s Pwn2Own competition this year, which is partially underwritten by Google. Both competitions will be held at the CanSecWest security conference taking place March 6–8 in Vancouver.
“Security is one of the core tenets of Chrome, but no software is perfect, and security bugs slip through even the best development and review processes,” the company said in a blog. “That’s why we’ve continued to engage with the security research community to help us find and fix vulnerabilities.”
For Pwnium 3, Google is offering $110,000 for a browser or system level compromise in guest mode or as a logged-in user, delivered via a web page, and $150,000 for a compromise with device persistence (guest to guest with interim reboot), delivered via a web page. Previously it was awarding $60,000 per exploit, up to $2 million.
Winners must deliver a full exploit plus accompanying explanation and breakdown of individual bugs used. Exploits should be served from a password-authenticated and HTTPS-supported Google property, such as Google App Engine.
Google said that the increased moolah is an acknowledgment of the difficulty of the task: “We believe these larger rewards reflect the additional challenge involved with tackling the security defenses of Chrome OS, compared to traditional operating systems,” it said.
Read more:
http://www.infosecurity-magazine.co...hacking-contest-with-314-million-on-the-line/