Google has upped the ante in its industry-leading cash-for-security-bugs program with hefty bonuses and a hacking contest that will award up to $2 million worth of prizes to people who successfully exploit its Chrome browser.
On Wednesday, the search giant announced plans for Pwnium 2, a contest that will pay $60,000 for hacks that fully exploit its Chrome and Chromium browsers. The competition, scheduled for October 10 at the Hack In The Box security conference in Malaysia, will award smaller amounts for Chrome attacks that rely on code not native to the browser. For instance, a "partial Chrome exploit," such as one that combines a bug in Chrome's native code base with a bug in Windows, will be awarded $50,000. A "non-Chrome exploit" in Adobe Flash, Windows or other app will fetch $40,000.
"You may have noticed that we've compressed the reward levels closer together for Pwnium 2," Google software engineer Chris Evans wrote in Wednesday's blog post. "This is in response to feedback, and reflects that any local account compromise is very serious. We're happy to make the web safer by any means—even rewarding vulnerabilities outside of our immediate control."
Google will award prizes until the $2 million threshold is reached. The company paid just $120,000 worth of awards during the first Pwnium contest in March. While the amount was only 12 percent of the $1 million it pledged, the competition resulted in two exploits that were noteworthy because they relied entirely on code native to Chrome to break out of its highly regarded security sandbox. The mechanism contains JavaScript, HTML and other web content inside a tightly restricted perimeter to prevent it from hijacking sensitive operating-system functions such as changing registry settings or accessing user data.
Among the contestants winning one of the $60,000 prizes was a 19-year-old hacker who went by the moniker Pinkie Pie. Google later released an autopsy of his exploit that showed it relied on six separate bugs to circumvent the sandbox and other defenses baked into Chrome.
Wednesday's announcement came less than 24 hours after Google said it would pay $1,000 bonuses on top of the already large sums it already pays to researchers who privately report exploitable bugs. Under the Chromium Rewards Program, severe bugs already fetched a reward of $3,133.70, although it has been known to pay as much as $10,000 for particularly severe exploits.
Show me the money
Along with Facebook, Mozilla, PayPal, and djbdns creator Daniel J. Bernstein, Google is one of a handful of services or software developers to pay bug bounties. The rewards address a complaint made by some researchers that they frequently receive no compensation for the countless hours they spend discovering and reporting vulnerabilities in other companies' software. To date, Google said, it has paid more than $1 million for bugs affecting its software and web properties. Companies such as Adobe and Microsoft, by contrast, have paid nothing, although Microsoft recently awarded $250,000 to three people in exchange for defenses designed to improve the overall security of its software.
The debate about bug bounties comes amid a larger discussion about the propriety of researchers who sell exploits to governmental agencies. Critics of the practice say it could enable repressive governments to track down dissidents or allow unlawful spying by governments without a court order. Proponents down-play the role of so-called "zero-day" exploits in hacks and say they are careful about who they sell to.
Google said the $1,000 bonus to its Chrome rewards program came amid a "significant" decline in the number of externally reported bugs.
"This signals to us that bugs are becoming harder to find, as the efforts of the wider community have made Chromium significantly stronger," the company said.
1 comments:
Read more at http://adfoc.us/83118244384
Post a Comment