HP has stepped up to become the sponsor of the annual Pwn2Own hacking contest, putting its money where its mouth is by quadrupling the top prize to $60,000, with Google offering $20,000 to anyone that can hack its popular Chrome browser.
ComputerWorld US reports that the Pwn2Own event will commence in early March at the CanSecWest security conference held in Vancouver, asking researchers to target the most up-to-date versions of Chrome, Safari, Internet Explorer and Firefox, rewarding them for devising exploits on-the-spot.
In previous years, a target has been removed from the contest as soon as a researcher manages to exploit it but this year’s event will see a new points system introduced which will let more researchers attempt different ways to exploit their chosen browser.
Researchers will be awarded 10 points per exploit on the first day, nine points on the second and eight on the third. However, Pwn2Own organisers will award 32 points for each new browser “0-day”, which sees a researcher find a previously unpatched or new vulnerability, so teams will be tempted not only to bring undisclosed exploits with them to the contest, they will also be motivated to try new techniques whilst they are participating.
The researcher with the most points will win $60,000, second-place will take home $30,000 and third will collect $15,000. Last year, Google offered $15,000 to the researcher that could hack any of the browsers used in the contest.
The decision to change the way the contest is run is to eliminate the use of older exploits that would take a browser out of the game in super-quick time, with the new points system encouraging researchers to create on-the-spot hacks and reduce “sensationalist” headlines that highlighted how quickly a browser fell during the three-day event.
Google will be watching the contest with great interest; it will also pay $20,000 for each Chrome exploit or $10,000 for any non-Chrome bug that could break the browser’s sandbox protection.
The browser hack prize is a generous sum of money for a good reason, to date it has not been hacked at Pwn2Own. With the incentives now greater than ever, researchers will be looking to change that this year.
Microsoft, Mozilla or Apple have not come forward with a similar reward, so it’s only Google that is set to pay out — should researchers be able to circumvent its security measures.