A contest that pays out prize money to security researchers who discover vulnerabilities in the Google Chrome browser will go from an annual contest to a year-round event, according to the company. The competition, known as Pwnium, awards payments to researchers of $500 or more. Google said it is increasing the value of the top prize to $50,000.
In previous years, the company had made a limited pool of money available to researchers who could discover security flaws in the Chrome browser, but only for a single day during the CanSecWest event held in Canada. Last year, Google offered a prize pool of $2.71828 million, an approximation of the mathematical constant "e." From now on, the prize pool will be unlimited, or as Google said on its Chromium blog “infinity million dollars.” Chromium is the open source project behind the Google Chrome browser.
Opening Up the Competition
The Pwnium contest is now in its fifth year. Google said it is making the changes in response to feedback from participating researchers. “We asked our handful of participants if they wanted an option to report all year. They did, so we’re delivering,” the company wrote on the Chromium blog.
The new rules should significantly reduce the barriers to entry for security researchers hoping to cash in on the reward. Previously, a researcher had to have a bug tracking chain on the Chromium wiki in March, pre-register, have a physical presence at the competition location and hope for a good time slot.
Under the new scheme, security researchers can submit their bugs year-round through the Chrome Vulnerability Reward Program whenever they find them. In theory, that should help open up the competition to a much broader group of researchers around the world.
Combating ‘Bug Hoarding’
In addition to making the competition easier to enter, Google said it was also hoping to reduce the incentive for “bug hoarding,” in which researchers delay announcing their discoveries so they can present them during the CanSecWest event.
“If a security researcher was to discover a Pwnium-quality bug chain today, it’s highly likely that they would wait until the contest to report it to get a cash reward,” Tim Willis, a member of the Chrome Security Team, wrote in the Chromium blog post.
“This is a bad scenario for all parties. It’s bad for us because the bug doesn’t get fixed immediately and our users are left at risk. It’s bad for them as they run the real risk of a bug collision," Willis said. "By allowing security researchers to submit bugs all year-round, collisions are significantly less likely and security researchers aren’t duplicating their efforts on the same bugs.”
The contest is not limited to just Chromium. Bugs in either the Chromium or Chrome builds may be eligible. In addition, bugs in plug-ins that are shipped with Google Chrome by default, such as PDFium or Adobe Flash, are usually eligible. Bugs in third-party plug-ins and extensions, however, are ineligible.