Google is offering major rewards to hackers competing in their fourth Pwnium event at CanSecWest in Vancouver. Do you have what it takes to win big? Here's what you need to know.
All software has bugs, and sometimes those bugs can be hard to find. With millions of lines of code, it can be difficult for even the most seasoned developers to find every potential problem with a product. Because of this, many companies have turned to hackers for help; and no, we're not talking about the 1995 movie (although I wish we were).
The hackers referred to are professional bug researchers who hack a software or system to find security issues. Companies like Google hire these researchers to help with product development. On March 12, 2014 Google will host their fourth Pwnium event at the CanSecWest applied security conference in Vancouver, only this year the stakes are higher. Google is offering more than $2.7 million in rewards, with individual rewards as high as $150,000 to hackers who can exploit Google's Chromium browser or Chromium OS—the open source platforms behind the Chrome browser and Chrome OS.
"When researchers help us identify bugs and weaknesses in a responsible manner, we can fix the bugs quickly, and we can develop new security mechanisms to make Chrome and Chrome OS even more secure," a Google spokesperson said.
Researchers get their choice of two Chromebooks to demonstrate their exploits on—an ARM-based HP Chromebook 11 or an Acer C720 Intel Chromebook. The devices must be running the latest stable version of the Chrome OS and the exploit he or she demonstrates must be original and unreported. Competitors must also submit full documentation of the hack and its security implications.
The format has been changed this year so participants must register for a time slot in advance. To register, email firstname.lastname@example.org. Registration will close at 5:00 p.m. PST Monday, March 10th, 2014. The exploit must be developed in advance and presented at the conference and members of the Chromium security team will oversee the demonstration and determine eligibility and rewards.
If you are thinking of entering Pwnium this year, your exploit must meet the following requirements according to the Chromium site:
- Be an unreported and original exploit, which has not been shared or partially shared with anyone else or submitted in any other contests.
- Be an exploit relying on an unreported and original bug, bugs or security feature in Chrome OS, Flash or other software e.g. drivers.
- Be an attack that’s demonstrated against a base (WiFi) model of the ARM-based HP Chromebook 11, running the latest stable version of Chrome OS; or a 2GB WiFi model of the Acer C720 Intel Chromebook, running the latest stable version of Chrome OS.
- Be a remote exploit accessible through the Chrome browser, which works and is reliable.
- Be served from a password-authenticated and HTTPS-supported Google property, such as Google App Engine.
- Be present in the most recent supported channel(s) of Chrome OS.
- Be a critical vulnerability of high impact.
- Be authored or created by you.
- Be submitted with corresponding documentation that details each bug exploited.
According to the Google spokesperson mentioned earlier, the goal of Pwnium 4 is: "To engage the security community at large in helping make Chromium and Chromium OS more secure." But Pwnium is often seen as the little brother of the Pwn2Own event because of its narrow focus. At last year's Pwnium 3, there were no winners and only one entry that took home a partial reward. Chaouki Bekrar, CEO and Head of Research at Vupen, said that some entrants need a more interesting target.
"From a security research point of view, the most interesting targets are those with the highest market share and that is why the majority of researchers prefer to register for Pwn2Own rather than Pwnium since Chromebook's market penetration is still very low," Bekrar said. "Anyway, both competitions encourage researchers to make their best efforts to defeat the most secure software and systems."
Is Pwnium worth it? Have you been to a Google hacking event before? Sending a developer? We want to hear about it. Post your stories in the comments.
Hack the world.
Pwnium 4 details
Who: Hackers, Google
What: A hacking competition to exploit Chromium and Chromium OS.
When: March 12, 2014, 10 a.m. - 12 p.m. (PST)
Why: Um, you could win $150,000...