Google is giving away a million bucks to those who can successfully hack Chrome

Making sure that you have the most secure browser on the web means that you need a whole lot of people doing continual security audits and QA. While Google surely has this experience and capability in-house, the company like to challenge outsiders to find holes in its Chrome browser, and give money away to those who do.

For a little over two years, the Chrome team has had a “Chromium Security Rewards Program” that offers pretty sizable monetary rewards to developers who find security holes and bugs within its browser and increases the reward for those who successfully create a fix for the issue they find.

At the CanSecWest security conference in Vancouver from March 7th-9th, Google will be sponsoring a challenge to exploit Chrome with a total of $1M being given away in the following categories:

$60,000 – “Full Chrome exploit”: Chrome / Win7 local OS user account persistence using only bugs in Chrome itself.

$40,000 – “Partial Chrome exploit”: Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows sandbox bug.

$20,000 – “Consolation reward, Flash / Windows / other”: Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver. These exploits are not specific to Chrome and will be a threat to users of any web browser. Although not specifically Chrome’s issue, we’ve decided to offer consolation prizes because these findings still help us toward our mission of making the entire web safer.

By holding this type of challenge, Google gets to build a much better relationship with hackers and developers and keep the exploits away from those with nefarious intentions. The company is also giving away a Chromebook to all of the winners, a great way to get these security experts relying on Google’s technology platform even more.

To be able to win the prizes, participants must submit their exploits directly to Google and not anywhere else first, such as publishing them on a blog or sharing them in the press.