Google will put as much as $1 million up for grabs if researchers can exploit Chrome in this months - Polidicks

[QUOTE]Google on Monday withdrew as a sponsor of next month's Pwn2Own hacking contest, and will instead put as much as $1 million up for grabs if researchers can exploit Chrome. The company will run its own exploit challenge at the CanSecWest security conference, the venue for Pwn2Own, because it objected to what it said was a change in the rules by contest organizer and prime sponsor, HP TippingPoint's bug-bounty program, Zero Day Initiative (ZDI). "We decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits, or even all of the bugs used, to vendors," said Chris Evans and Justin Schuh, two members of the Chrome security team, in a Monday post to the Chromium blog. "Full exploits have been handed over in previous years, but it's an explicit non-requirement in this year's contest, and that's worrisome." Pwn2Own's rules say nothing about not handing over complete exploits or all bugs to vendors at the close of the contest, but a Jan. 23 tweet by ZDI said, "To clarify, if a team demonstrates 0day at Pwn2Own 2012, but doesn't end up as a winner, the vuln[nerability] is still theirs and will not be reported." Previously, Google had promised to pay $20,000 to any researcher who managed to exploit Chrome by leveraging browser-only flaws, and $10,000 for a "partial" exploit that relies on a bug in Chrome in addition to a bug in the operating system. Because Chrome is "sandboxed" -- an anti-exploit technology that isolates malware -- a hack of the browser typically requires two or more exploits. The first is necessary to get attack code out of the sandbox, and the second is needed to actually exploit a Chrome vulnerability and plant malware on the machine. But Google is ditching that $20,000 maximum scheme, and will put up to $1 million on the line at CanSecWest, said Evans and Schuh. "We've upped the ante," said the engineers. For what they called a "full Chrome exploit" -- one that successfully hacks Chrome on Windows 7 using only vulnerabilities in Chrome itself -- Google will pay $60,000, which is equivalent to Pwn2Own's top prize for that three-day contest. A partial exploit that uses one bug within Chrome and one or more others -- perhaps in Windows -- earns a researcher $40,000. Finally, Google will pay $20,000 for "consolation" exploits that hack Chrome without using any vulnerabilities in the browser itself. The only limit Google has put on the challenge is a maximum total payout of $1 million. "We will issue multiple rewards per category, up to the $1 million limit, on a first-come-first served basis," said Evans and Schuh. For the bigger rewards, Google will require more from researchers, who must demonstrate that the bug(s) are reliably exploitable, of critical impact and true "zero-days" that are unknown to Google and have not been shared with any third parties. Both the vulnerabilities used as well as the full exploit must be handed over to Google so that it can, as Evans and Schuh said, "Enhance our mitigations, automated testing, and sandboxing." Google's rules also effectively eliminate that few if any working Chrome exploits will be used in Pwn2Own. "Contestant's exploits must be submitted to and judged by Google before being submitted anywhere else," said Evans and Schuh. Although HP TippingPoint was not available late Monday for comment on Google's departure from Pwn2Own, a Twitter exchange sounded like the split was amicable.[/QUOTE] [url]http://www.computerworld.com/s/article/9224701/Google_puts_1M_on_the_line_for_Chrome_exploit_rewards?taxonomyId=17&pageNumber=2[/url] Damn

Will either happen in a day or not at all

google's already taken their own prize because fucking youtube is broken for me and chrome has lagged ass.

Instead of making them into complete villains they decide that it's best to pay them for finding exploits that could be fixed. It's a good idea.

[QUOTE=DeandreT;34914192]Instead of making them into complete villains they decide that it's best to pay them for finding exploits that could be fixed. It's a good idea.[/QUOTE] Concept which has been used over and over since the very beginning. It's nothing novelty. It's the people who come into the industry for pure gain who don't know about it.

Wtf ? The Baconator, did you read the article ? Google withdrew from sponsoring the Pwn2Own and created their own contest.

[QUOTE=Awesomecaek;34914232]Concept which has been used over and over since the very beginning. It's nothing novelty. It's the people who come into the industry for pure gain who don't know about it.[/QUOTE] It's great that it happens with people that are hated for what they do. It gives them a chance to have a job that doesn't require you to be hurting other people. If I had a team developing software, I would probably want an ex-hacker or someone with skill in finding and abusing exploits on our team to be able to test how secure and safe it actually is.

Wasn't there a company who challenged people to break their security system, and when somebody did they went into a hissy fit?

[QUOTE=DeandreT;34914192]Instead of making them into complete villains they decide that it's best to pay them for finding exploits that could be fixed. It's a good idea.[/QUOTE] Ethical hacking, which is a course taught by a few Unis in the UK (not sure about others) but its a qualification in hacking, and it allows you to offer your hacking services to banks for example, who will pay you to find flaws in their security

[QUOTE=DeandreT;34914496]It's great that it happens with people that are hated for what they do. It gives them a chance to have a job that doesn't require you to be hurting other people. If I had a team developing software, I would probably want an ex-hacker or someone with skill in finding and abusing exploits on our team to be able to test how secure and safe it actually is.[/QUOTE] That's called being a gray-hat and it's something older than the internet itself. People capable of circumventing security are logically the best ones to strengthen it.

[QUOTE=Awesomecaek;34914725]That's called being a gray-hat and it's something older than the internet itself. People capable of circumventing security are logically the best ones to strengthen it.[/QUOTE] A great example are former bigshot burglars who ended up starting their own home security company, since they knew how to spot weaknesses in security systems.

[QUOTE=Van-man;34914792]A great example are former bigshot burglars who ended up starting their own home security company, since they knew how to spot weaknesses in security systems.[/QUOTE] and this guy [url]http://www.imdb.com/title/tt0264464/[/url]

Nobody reads the news anymore, they just vaguely talk about something similar to the tittle

Not enforcing 100% transparency on an officially sponsored hacking contest is absolute bullshit. Google did the right thing.

[QUOTE=Mechanical43;34915595]Nobody reads the news anymore, they just vaguely talk about something similar to the tittle[/QUOTE] It's always been like that

[QUOTE=MightyMax;34914107]google's already taken their own prize because fucking youtube is broken for me and chrome has lagged ass.[/QUOTE] > Disable Chrome's built in flash player > Restart and go to youtube > ????? > Profit The crashing of flash/shockwave is caused by having two separate installs of flash running, disabling Chrome's means it won't break other programs/games.

"We decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits, or even all of the bugs used, to vendors," I do not blame Google at all for wanting out of it. That completely defeats the whole point (in my mind) of Pwn2Own.