10 comments

[ 2.4 ms ] story [ 41.3 ms ] thread
Kudos to Google for this contest, they took the extra mile in protecting its users.
So, what happens if the hackers provide more then $1million in exploits????

I mean, "giving rewards until reaching $1 Million"...

Yet, there will be more exploits, there will be more vectors vulnerable to vendetta.

Whatcha Gonna do Google?

I don't really understand what you're saying, but the odds are that they won't have any takers for the $60k and $40k prizes based on previous event history. And I doubt people will bother to break flash and the plugin sandbox over 50 separate times.
Will google ask apple money for pointing out cookie logic vulnerability on safari ios?

Tum dum tisss

The title is so misleading its just funny.

I could propose to offer 1000 BILLIONS to anyone who exploit chrome and give $1 per exploit too (yeah im not Google so it's $1 for me).

I think Google is going that because security companies request such amounts for exploits before Pwn2Own to Google so that Google doesn't look bad.

And Google didn't take VUPEN's offer on all bugs, so VUPEN said they're going to go to Pwn2Own and break Chrome with their known exploits. So Google wants to come out as the good guy.

Yay for politics.

Sorry I can't really parse what you wrote.

$20000~$60000 is not $1. The article explicitly states that they're withdrawing from Pwn2Own because of a new disclosure policy on exploits.

Am I missing something? The last I heard about VUPEN & chrome at pwn2own was like a year ago, and they weren't going to tell details on the exploits to anyone but the government. Though I always assumed that latter part was conspiracy theory, didn't think much of it...

> The title is so misleading its just funny.

Yes, it's sensationalist, Google offers $1 million in rewards to hackers who exploit Chrome would be much better.

Full details are here:

http://blog.chromium.org/2012/02/pwnium-rewards-for-exploits...

Snippet of what reward for what sort of hack:

$60,000 - “Full Chrome exploit”: Chrome / Win7 local OS user account persistence using only bugs in Chrome itself.

$40,000 - “Partial Chrome exploit”: Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows sandbox bug.

$20,000 - “Consolation reward, Flash / Windows / other”: Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver. These exploits are not specific to Chrome and will be a threat to users of any web browser. Although not specifically Chrome’s issue, we’ve decided to offer consolation prizes because these findings still help us toward our mission of making the entire web safer.

Anyone know what the actual street value of those vulns would be if you have the right contacts?

Paging tptacek, paging tptacek to the thread...