Who wouldn't be tempted by a $1m cash pot for spotting flaws in Google's flagship Chrome browser? Well, the answer – according to some – is the very computer scientists with the necessary hacking skills to crack the browser that Google is hoping to attract.
This pointed barb was chucked Google's way after it admitted that it had withdrawn its offer of sponsorship for the infamous Pwn2Own browser hacking contest, which takes place at the CanSecWest conference on
Google it seems was unhappy that some entrants might be able to make off with the Pwn2Own booty, without having to divulge the secrets of the exploits that succeeded against its browser.
Instead, Google has set up its own Chrome-hacking competition, complete with $1m in cash prizes to hand out – with top prizes of $60,000 for full Chrome exploits.
But the organisers of the Pwn2Own contest have hit back at what they see as a misrepresentation of their contest.
In a blog post, the Zero Day Initiative team point out that the Pwn2Own competition has a long history of handing out rewards for the disclosure of so-called code execution vulnerabilities.
The organisers also demand that teams also demonstrate any so-called sandbox escapes they use in the competition – but they are not required to provide full disclosure of these types of exploit.
These second type of exploit are both rare – and potentially very lucrative for hackers, the organisers wrote:
“We strongly believe that those considering participating in Pwn2Own would not do so without a considerable reward [for sandbox escapes].”
They also had some harsh words about Google's alternative competition.
“It is fair to say that a sophisticated sandbox-escape exploit could certainly wreak more than $60,000 worth of damage in the enterprise space,” they wrote.
“That is why such an exploit against Chrome will never see the light of day at CanSecWest. Instead, the grand Google prize will go unclaimed and the great takeaway from Pwnium will be that Google Chrome is unhackable.”
Google's hubris could actually be a set back the browser security, they added.
One commentator tweeted:
@thezdi I agree with your blog post 110%. To bad Googs self interest blinded fact and logic. Everyone loses in the end esp. browser security— Kris Lamb (@krislamb) February 29, 2012
02 Mar 2012