Google Puts $20,000 Bounty On Chrome In Hacking Contest

Most software companies have learned to grudgingly cooperate with researchers who expose security vulnerabilities in their products. Google, lately, seems positively excited to see its products taken to pieces by skilled hackers. At the [Pwn2Own contest next month](, Google will offer $20,000 to the first security researcher who can gain full control of a laptop running its Chrome Browser, a task that requires defeating the software’s sandbox protections, measures designed to isolate an attack within the browser and prevent it from accessing the machine’s operating system. The contest, run annually by security firm Tipping Point, now owned by Hewlett-Packard, will offer a total of $125,000 in cash to hackers who can be the first to compromise various machines including laptops running Apple’s, Microsoft’s, Google’s and Mozilla’s browsers, as well as mobile phones that will include the iPhone 4, BlackBerry Torch, Dell Venue and Nexus S. Successful contestants also walk away with whatever device they managed to hack. But this year represents the first time Google has added its own bounty to that program, likely making Chrome the prime target of the contest–and, in theory, helping to keep the browser safer from real-world attacks, as all Pwn2Own hacks are disclosed to the software’s vendor before they’re released to the public. “Kudos to the Google security team for taking the initiative to approach us on this,” reads a statement on Tipping Point’s blog. “We’re always in favor of rewarding security researchers for the work they too-often do for free.” The Chrome prize is only the latest in a string of incentives from Google for anyone who can demonstrate security flaws in its products. In January of last year, it launched a bug-buying program to pay as much as $1,337 for information about critical security bugs in its browser. Within six months, it upped that maximum payout to $3,133.70. (Both numbers contain a coded reference to the word LEET, or “elite” in hacker jargon.) Then in November Google extended those rewards to its Web applications including YouTube, Blogger and Gmail, and soon after announced that it planned to award the first $20,000 for vulnerability information in those programs. In last year’s Pwn2Own contest, Chrome remained the only browser to end the contest unscathed. Many have argued those results had little to do with Chrome’s security: The browser may have simply been too new at the time to attract much attention from the contest’s researchers. But I speculated at the time that even so, Chrome would have a “sword-in-the-stone”-type reputation by the time the next Pwn2Own rolled around. With $20,000 riding on its fate, that sword is bound to seem shinier than ever.