Google held its own Pwnium competition focused on Chrome alone
Details on this year's Pwn2Own security competition have been revealed and there are quite a few surprises. For one, the prizes are bigger, significantly bigger. The rules and the competition itself have changed quite a bit from previous years, as well. But the biggest surprise is that Google is involved once again.Last year's edition was mired in controversy since the rules of the competition did not require participants to disclose exactly how their exploits work.
In Pwn2Own, hackers are challenged to break into computers using fully-patched browsers and operating systems. Successfully doing so wins you the device you "pwn," hence the name, along with a significant sum of money in recent years.
Google had been an early sponsor of the competition held traditionally at CanSecWest. But it dropped out dramatically last year, as the new rules didn't require hackers to explain their methods, crucial for browser makers to plug the holes exploited.
Incidentally, last year was the first time Chrome was successfully exploited, by Team Vupen, a security company that sells exploits to governments that pay enough. It's understandable why they didn't want to disclose their methods.
Google went on to hold its own Pwnium competition, two of them in the same year in fact, which have been quite successful, in that they both received exploits that broke the Chrome sandbox.
In light of that success, it's quite surprising to see Google back behind the Pwn2Own competition, which is also sponsored by HP. The catch is that the rules have once again changed and now, hackers have to reveal the details of their exploit, the point of contention for Google last year.
"Upon successful demonstration of the exploit, the contestant will provide HP ZDI a fully functioning exploit and all the details of the vulnerability used in the attack," TippingPoint, part of HP, the creator of the Pwn2Own competition, explained.
"In the case that multiple vulnerabilities were exploited to gain code execution, details about all the vulnerabilities (memory corruption, infoleaks, escalations, etc.) leveraged and the sequence in which they are used must be provided to receive the prize money," it added.