How much is a browser vulnerability worth? There's certainly good money to be made if the prizes on offer for disclosing exploits at this year's Pwn2Own contest are anything to go by.
The infamous hackathon held at the CanSecWest bash in early March will offer more than $500,000 in prize money to those able to confound browser security.
The largest prizes will go to contestants that can successfully compromise Google Chrome on Windows 7 or IE 10 on Windows 8 – either of which are worth $100,000.
That Google's Chrome features so far up the prize-money stakes may be down to its return as a co-sponsor.
Last year, Google famously withdrew its sponsorship offer for Pwn2Own, complaining that the competition rules would allow entrants to demonstrate hacks that defeated a browser's sandbox security feature, without having to share the full details of the exploit. It set up its own rival hacking competition in response.
At the time, Pwn2Own organisers, the Zero Day Initiative argued that the market value for sandbox escapes far exceeded the prize money on offer.
This year, the prize money has gone up, but it appears that Google's return to the fold comes at the expense of greater openness.
“Upon successful demonstration of the exploit, the contestant will provide HP ZDI a fully functioning exploit and all the details of the vulnerability used in the attack,” wrote Brian Gorenc, a security researcher at HP DVLabs, which oversees the ZDI team, one the blog announcing this year's competition.
In another change, a further pot of prize money will be allocated to contestants that demonstrate exploits via third-party plug-ins.
But will hackers be persuaded that the prize money is enough?
Last year's stand out team - the exploit writers from French security firm Vupen, who cracked Chrome in a matter of minutes - described the changes in terms and conditions as "frustrating".
But Chauoki Bekar, chief executive of Vupen told V3 it was likely that his team would be back - although it may consider going after different targets.
"For now, we have registered for all targets and depending on how many of them we are allowed to go after and on whether the full technical details and codes are provided by ZDI to the vendor or kept private for their internal research use, we will decide if we will pwn a specific browser or plugin, pwn them all, or do not participate at all," he said.
The change in Pwn2Own entry conditions was prompted by the increasing sophistication of exploits, said DVLabs' Gorenc.
“We do not believe that a lone bug is enough to fully compromise a target, given all the advances in mitigation approaches. Because we’re asking our researchers to disclose more than we have in the past, we have increased their compensation this year," he told V3.
01 Apr 2011
Demand for Firefox 4 shows no sign of slowing down after passing the 50 million download mark just 10 days after launch.
European web users lead the way with just under 20 million downloads, and the early signs suggest that Firefox 4 could become one of the most popular browsers ever released.
V3.co.uk has road tested Firefox 4 for desktops and the new Firefox for Android app, both versions impressing in the office.
Firefox 4 also continued to give Microsoft's IE9 browser a pasting when it comes to uptake. Mozilla's browser hot footed its way to 3.5 million downloads in just four hours, whereas IE9 took 24 hours to reach 2.35 million.
Firefox 4 passed the 40 million mark on 29 March, meaning that the browser has notched up another 10 million downloads in the past four days.
However, Microsoft has hit back at the download comparisons between browsers, claiming that they are misleading.
"Every browser has a mechanism for updating their users from a previous version of a browser to the latest and greatest. For IE9, it is done through Windows Update. In the case of FF 4.0 and Chrome 10 their update mechanisms are turned on as part of their initial release to web," said Ryan Gavin, senior director of Internet Explorer business and marketing, in The Windows Blog.
"We have yet to turn on any updating for any Windows customers who have not previously downloaded the IE9 Beta or IE9 RC. So, every IE9 download is from a customer actively seeking out Internet Explorer 9 and downloading it. No automatic update or in-product prompts."
Gavin also appeared to take a swipe at Mozilla's numbers, adding that Microsoft reports "completed downloads - not attempted downloads where a user may hit a download button repeatedly but without fully downloading IE9".
Microsoft has also been quick to add that IE9 has been installed on 3.6 per cent of machines running Windows 7, trumping IE8's figures a month after it was launched.
However, with IE9 available only on the Vista and Windows 7 platforms, many will be unable to use the browser, and it is likely to lead to Firefox seeing its global share increase.
V3.co.uk readers also favour Firefox over IE9, a whopping 45 per cent saying they would use the Mozilla browser compared to just 23 per cent for Microsoft.