Hack Chrome, Take Google’s Money


The "Chromium Security Rewards Program" will be highlighted as Google sponsors a challenge to hackers: expose browser vulnerabilities and win some cash.

The program has sizable, and scalable, rewards for finding shortcomings in the coding. Face it, it takes constant vigilance to maintain the highest level of user security -- and user security is always top-of-mind for Google, Facebook and the other biggies.

The base reward begins at $500, but for an upcoming conference those rewards scale up to as much as $60,000.

The CanWest security conference is March 7-9 in Vancouver and Google is looking for a few good hackers developers. The categories of hacks/rewards are below. Google's also giving away a Chromebook to all the winners.

The only rule is the code-exposures have to be shared directly with Google -- no posting on hackernews.com and then asking for a check.

$60,000 - “Full Chrome exploit”: Chrome / Win7 local OS user account persistence using only bugs in Chrome itself.

$40,000 - “Partial Chrome exploit”: Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows sandbox bug.

$20,000 - “Consolation reward, Flash / Windows / other”: Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver.

These exploits are not specific to Chrome and will be a threat to users of any web browser. Although not specifically Chrome’s issue, we’ve decided to offer consolation prizes because these findings still help us toward our mission of making the entire web safer.

All winners will also receive a Chromebook.

We will issue multiple rewards per category, up to the $1 million limit, on a first-come-first served basis. There is no splitting of winnings or “winner takes all.” We require each set of exploit bugs to be reliable, fully functional end to end, disjoint, of critical impact, present in the latest versions and genuinely “0-day,” i.e. not known to us or previously shared with third parties.

Contact Us