SOFTWARE HOUSE Google announced today that it will hold a third Pwnium competition this year, Pwnium 3, which encourages hackers to crack the Chrome operating system (OS) for a reward of up to $3m.
Taking place on 7 March, Pwnium 3 is designed to "improve internet security for everyone" by alerting Google to potential vulnerabilities in its software, while at the same time getting the best researchers in the industry to showcase their skills and take home some rewards.
"Security is one of the core tenets of Chrome, but no software is perfect, and security bugs slip through even the best development and review processes," Google said in its Chromium Blog. "That's why we've continued to engage with the security research community to help us find and fix vulnerabilities."
Rewards will be issued for hacking the Chrome OS for a value up to a total of $3.14m. This is broken up by paying hackers $110,000 for a web browser or system level compromise in guest mode or as a logged-in user, delivered via a web page, and $150,000 for a compromise with device persistence, guest to guest with interim reboot, delivered via a web page.
"We believe these larger rewards reflect the additional challenge involved with tackling the security defenses of Chrome OS, compared to traditional operating systems," Google added.
In order to receive the rewards, hackers must demonstrate an attack against a WiFi model of the Samsung Series 5 550 Chromebook running the latest stable version of Chrome OS. Any installed software, including the kernel and drivers, may be used to attempt the attack.
As with past Pwnium competitions, hackers need to follow the standard rules in order to receive their reward after a successful exploit. This includes delivering a full exploit plus accompanying explanation and breakdown of individual bugs used alongside exploits served from a password authenticated and HTTPS supported Google property, such as Google App Engine. Finally, Google said the bugs used must not be known to it or "fixed on trunk". µ
It's time for our regular two-step through the Google news
Bug bounty offer: accepted