Google on Monday announced it is hosting its third Pwnium competition, aptly named Pwnium 3, on March 7. The security contest’s main focus will be Chrome OS, for which the company will be offering up to a total of $3.14159 million in rewards for security researchers (Google loves using geeky numbers for its prizes, such as those related to leet and pi).
The breakdown for the winnings are as follows:
- $110,000: Browser or system level compromise in guest mode or as a logged-in user, delivered via a web page.
- $150,000: Compromise with device persistence — guest to guest with interim reboot, delivered via a web page.
In other words, if you find something in Chrome OS, you’ll walk away with a six-figure check. Why such a huge reward? Google says it believes “these larger rewards reflect the additional challenge involved with tackling the security defenses of Chrome OS, compared to traditional operating systems.” There is some fineprint worth noting, however:
Standard Pwnium rules apply: the deliverable is the full exploit plus accompanying explanation and breakdown of individual bugs used. Exploits should be served from a password-authenticated and HTTPS-supported Google property, such as Google App Engine. The bugs used must not be known to us or fixed on trunk. We reserve the right to issue partial rewards for partial, incomplete or unreliable exploits.
Unfortunately, Google is limiting the hardware to just one device: the attack must be demonstrated against a Wi-Fi model of the Samsung Series 5 550 Chromebook. It will be running the latest stable version of Chrome OS at the time of the contest (currently we’re on version 23.0.1271.111), meaning security researchers and hackers can only use the installed software that comes with the device (including the kernel and drivers, etc.).
As such, if you plan on taking part in the contest, you’ll likely want to go out and buy Samsung’s $400 Chromebook. Alternatively, you can try using a virtual machine, but naturally you’ll be at a disadvantage.
If you’d rather target Chrome over Chrome OS, you’ll want to be at the annual Pwn2Own competition, to be hosted by HP’s Zero Day Initiative (ZDI) at the CanSecWest security conference between March 6 and March 8 in Vancouver, Canada. The reason Google isn’t offering Chrome rewards for Pwnium this year is because the company has teamed up with ZDI to rework the Pwn2Own rules and underwrite a portion of the winnings for all targets. In short, go to Pwnium for Chrome OS and Pwn2Own for Chrome (plus all the other major browsers).
See also – ‘Pinkie Pie’ notches second full Chrome exploit worth $60k at Pwnium 2 hackathon [updated] and In less than 24 hours, Google patches Chrome to plug security hole found at its Pwnium 2 event
Image credit: Nauris Mozoleff