Google returns to Pwn2Own browser hacking contest with piles of cash

22 Jan 2013

malware virus security

How much is a browser vulnerability worth? There's certainly good money to be made if the prizes on offer for disclosing exploits at this year's Pwn2Own contest are anything to go by.

The infamous hackathon held at the CanSecWest bash in early March will offer more than $500,000 in prize money to those able to confound browser security.

The largest prizes will go to contestants that can successfully compromise Google Chrome on Windows 7 or IE 10 on Windows 8 – either of which are worth $100,000.

That Google's Chrome features so far up the prize-money stakes may be down to its return as a co-sponsor.

Last year, Google famously withdrew its sponsorship offer for Pwn2Own, complaining that the competition rules would allow entrants to demonstrate hacks that defeated a browser's sandbox security feature, without having to share the full details of the exploit. It set up its own rival hacking competition in response.

At the time, Pwn2Own organisers, the Zero Day Initiative argued that the market value for sandbox escapes far exceeded the prize money on offer.

This year, the prize money has gone up, but it appears that Google's return to the fold comes at the expense of greater openness.

“Upon successful demonstration of the exploit, the contestant will provide HP ZDI a fully functioning exploit and all the details of the vulnerability used in the attack,” wrote Brian Gorenc, a security researcher at HP DVLabs, which oversees the ZDI team, one the blog announcing this year's competition.

In another change, a further pot of prize money will be allocated to contestants that demonstrate exploits via third-party plug-ins.

But will hackers be persuaded that the prize money is enough? 

Last year's stand out team - the exploit writers from French security firm Vupen, who cracked Chrome in a matter of minutes - described the changes in terms and conditions as "frustrating".

But Chauoki Bekar, chief executive of Vupen told V3 it was likely that his team would be back - although it may consider going after different targets.

"For now, we have registered for all targets and depending on how many of them we are allowed to go after and on whether the full technical details and codes are provided by ZDI to the vendor or kept private for their internal research use, we will decide if we will pwn a specific browser or plugin, pwn them all, or do not participate at all," he said.

The change in Pwn2Own entry conditions was prompted by the increasing sophistication of exploits, said DVLabs' Gorenc.

“We do not believe that a lone bug is enough to fully compromise a target, given all the advances in mitigation approaches. Because we’re asking our researchers to disclose more than we have in the past, we have increased their compensation this year," he told V3.

About The Frontline

Insight into the latest tech news from's team of reporters

Project Manager / Technical Project Manager - (Prince 2, ERP, MS Project, ISO, PPI)

Project Manager / Technical Project Manager - (Prince...

Software QA Tester - No.1 Online Video Gaming Tech Provider

Software QA Tester - No.1 Online Video Gaming Tech Provider...

Development Team Leader - Sage One

What's it all about? Sage One is designed specifically...

CRM System Support & Development Manager

At the University of Derby, people are at the heart of...

Browse posts by date

Cal_navigation_previousJanuary 2013Cal_navigation_next

Other sites we like at The Frontline