This article was published on January 23, 2014

Google offers $2.7 million in rewards at Pwnium 4 hacking contest for Chrome OS


Google offers $2.7 million in rewards at Pwnium 4 hacking contest for Chrome OS

Google today announced it is hosting its fourth Pwnium competition, aptly named Pwnium 4, this March. The security contest’s main focus will be Chrome OS, for which the company will be offering up to a total of $2.71828 million in rewards for security researchers (Google loves using geeky numbers for its prizes, such as those related to leet and pi – this one is for the mathematical constant e).

The breakdown for the winnings are the same as last year:

  • $110,000 USD: Browser or system-level compromise in guest mode or as a logged-in user, delivered via a web page.
  • $150,000 USD: Compromise with device persistence: guest to guest with interim reboot, delivered via a web page.

Again, just like in 2013, if you can hack Chrome OS, you’ll walk away with a six-figure check. Furthermore, this year Google is also planning to give out significant bonuses for demonstrating “a particularly impressive or surprising exploit.” The company offers three examples: defeating kASLR, exploiting memory corruption in the 64-bit browser process, or exploiting the kernel directly from a renderer process.

Also new in 2014, security researchers can choose between an ARM-based Chromebook (the WiFi-only HP Chromebook 11) or the Acer C720 Chromebook (the WiFi-only 2GB version) that is based on the Intel Haswell microarchitecture. Last year, only Intel-based Chrome OS devices were allowed to be hacked for prize money.

There is one other rule worth emphasizing: the attack must be demonstrated against one of the two aforementioned devices running whatever the Chrome OS stable version is at the time. All software included with the default installation of those devices may be used as part of the attack.

The full exploit must be given to Google, with explanations for all individual bugs used (all of which must be unknown), and exploits should be served from a password-authenticated and HTTPS-supported Google App Engine URL. Last year, no exploits for Chrome OS were found.

You can read the full list of rules here and register to get your timeslot by sending an e-mail to [email protected] before 5:00 PM PST on March 10, 2014.

Top Image Credit: Nauris Mozoleff

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with