

Google offers $1 million reward to hackers who exploit Chrome - statenjason
http://arstechnica.com/business/news/2012/02/google-pledges-1-million-in-cash-to-hackers-who-exploit-chrome.ars

======
TomAnthony
Full details are here:

[http://blog.chromium.org/2012/02/pwnium-rewards-for-
exploits...](http://blog.chromium.org/2012/02/pwnium-rewards-for-
exploits.html)

Snippet of what reward for what sort of hack:

$60,000 - “Full Chrome exploit”: Chrome / Win7 local OS user account
persistence using only bugs in Chrome itself.

$40,000 - “Partial Chrome exploit”: Chrome / Win7 local OS user account
persistence using at least one bug in Chrome itself, plus other bugs. For
example, a WebKit bug combined with a Windows sandbox bug.

$20,000 - “Consolation reward, Flash / Windows / other”: Chrome / Win7 local
OS user account persistence that does not use bugs in Chrome. For example,
bugs in one or more of Flash, Windows or a driver. These exploits are not
specific to Chrome and will be a threat to users of any web browser. Although
not specifically Chrome’s issue, we’ve decided to offer consolation prizes
because these findings still help us toward our mission of making the entire
web safer.

------
zobzu
The title is so misleading its just funny.

I could propose to offer 1000 BILLIONS to anyone who exploit chrome and give
$1 per exploit too (yeah im not Google so it's $1 for me).

I think Google is going that because security companies request such amounts
for exploits before Pwn2Own to Google so that Google doesn't look bad.

And Google didn't take VUPEN's offer on all bugs, so VUPEN said they're going
to go to Pwn2Own and break Chrome with their known exploits. So Google wants
to come out as the good guy.

Yay for politics.

~~~
dmoy
Sorry I can't really parse what you wrote.

$20000~$60000 is not $1. The article explicitly states that they're
withdrawing from Pwn2Own because of a new disclosure policy on exploits.

Am I missing something? The last I heard about VUPEN & chrome at pwn2own was
like a year ago, and they weren't going to tell details on the exploits to
anyone but the government. Though I always assumed that latter part was
conspiracy theory, didn't think much of it...

------
JonnieCache
Anyone know what the actual street value of those vulns would be if you have
the right contacts?

Paging tptacek, paging tptacek to the thread...

------
mackyinc
Kudos to Google for this contest, they took the extra mile in protecting its
users.

------
gcb
Will google ask apple money for pointing out cookie logic vulnerability on
safari ios?

Tum dum tisss

