Google Chrome is racing ahead to become the most popular browser in the world, currently it holds second position in the browser war. Google Chrome is also most secure browser, one of the reason is the sandbox technology it uses to isolate browser from the operating system.
Chrome Browser has never been hacked at the annual Pwn2Own contest at CanSecWest conference. Google is announcing that it will offer $1 million to those who find bugs and exploits in Chrome as well as other components of the system like OS, Flash etc. We might wonder why Google is paying hackers these rewards for hacking its own browser, it gives Google some mileage for its security aspect in Google Chrome. Even if the browser got hacked it will be useful for Google to close the security holes immediately. This is also one of the reason Google put up a condition that hackers should submit the details of the exploit to security team.
Google Explains in a blog post that this sponsorship of the event gives them â€œa big learning opportunity when we receive full end-to-end exploits. Not only can we fix the bugs, but by studying the vulnerability and exploit techniques we can enhance our mitigations, automated testing, and sandboxing.â€
The breakdown of the $1 million goes like this.
$60,000 – â€œFull Chrome exploitâ€: Chrome / Win7 local OS user account persistence using only bugs in Chrome itself.
$40,000 – â€œPartial Chrome exploitâ€: Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows sandbox bug.
$20,000 – â€œConsolation reward, Flash / Windows / otherâ€: Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver. These exploits are not specific to Chrome and will be a threat to users of any web browser.
Google capped the limit of rewards at $1 million, and the rewards will be given on first cone first served basis. Google says there is no splitting of rewards or winner takes all kind of thing. Apart from these the exploit should be zero-day meaning previously unknown.