Just two days before the annual Pwn2Own contest is set to begin at CanSecWest, Google has patched a huge set of serious vulnerabilities in its Chrome browser. In addition to the 14 high-risk flaws fixed in Chrome, the company also handed out rewards of $10,000 each to three researchers who regularly submit bugs to Google and have taken home quite a bit of cash in the past as part of the company’s reward program.
The $10,000 payouts went to Aki Helin, Arhur Gerkis and a researcher known as Miaubiz. These payments are in addition to the normal rewards that Google pays researchers who find and report security vulnerabilities in Chrome, and they represent a new kind of reward from the company. And Google officials said it is just the beginning of this kind of reward that isn’t tied to a specific bug report.
“To determine the above rewards, we looked at bug finding performance over the past few months. The three named individuals stood out significantly. It also shouldn’t come as a surprise that they all feature (and earn more!) in the release notes below. We have always reserved the right to arbitrarily reward sustained, extraordinary contributions. In this instance, we’re dropping a surprise bonus. We reserve the right to do so again and reserve the right to do so on a more regular basis! Chrome has a leading reputation for security and it wouldn’t be possible without the aggressive bug hunting of the wider community,” Jason Kersey of the Google Chrome team wrote in a blog post.
The Pwn2Own contest at CanSecWest in Vancouver is a an annual competition that challenges researchers to hack one or more of a set list of targets. The target list typically includes each of the major browsers running on Windows or OS X. The rules of the contest have changed this year in order to give more contestants the ability to use vulnerabilities they’ve discovered. Instead of researchers simply sitting down in their assigned order and trying their bugs against a specific browser, this year’s contest will be a three-day competition in which entrants earn points for successful exploits against the various targets.
The targets this year are Chrome, Internet Explorer, Safari and Firefox, but the specific versions of each browser won’t be known until Wednesday when the contest starts.
“We basically rearchitected the entire thing this year. We wanted to take our limited budget and spread it over three winners in order to give them more incentive to bring their vulns to Pwn2Own,” Aaron Portnoy, the manager of the security research team at TippingPoint, whose Zero Day Initiative runs Pwn2Own, said in explaining the new rules last month. “We didn’t think it was fair with the drawing. That opens the door for people having a vulnerability they don’t use at the contest and it doesn’t get fixed.”
In past years, Safari, Firefox and IE have been frequent successful targets at the contest but no one has succeeded in taking down Chrome. This year Google has offered up to $1 million in rewards for successful exploits against its browser. The list of bugs the company fixed in Chrome on Sunday should make that harder.
The full list of fixes in Chrome include:
cansecwest.com/
googlechromereleases.blogspot.com/2012/03/chrome-stable-update.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+GoogleChromeReleases+%28Google+Chrome+Releases%29
pwn2own.zerodayinitiative.com/rules.html
code.google.com/p/chromium/issues/detail?id=105867
code.google.com/p/chromium/issues/detail?id=108037
code.google.com/p/chromium/issues/detail?id=108406
code.google.com/p/chromium/issues/detail?id=111748
code.google.com/p/chromium/issues/detail?id=112212
code.google.com/p/chromium/issues/detail?id=113258
code.google.com/p/chromium/issues/detail?id=113439
code.google.com/p/chromium/issues/detail?id=113497
code.google.com/p/chromium/issues/detail?id=113707
code.google.com/p/chromium/issues/detail?id=114054
code.google.com/p/chromium/issues/detail?id=114068
code.google.com/p/chromium/issues/detail?id=114219
code.google.com/p/chromium/issues/detail?id=114924
code.google.com/p/chromium/issues/detail?id=115028
code.google.com/p/chromium/issues/detail?id=115471
code.google.com/p/chromium/issues/detail?id=115681
code.google.com/p/chromium/issues/detail?id=116093
threatpost.com/google-patches-14-chrome-bugs-ahead-pwn2own-pays-30k-special-rewards-030512/
threatpost.com/google-withdraws-pwn2own-sponsorship-sets-aside-1-mil-prizes-022812/
threatpost.com/revamped-pwn2own-offer-105k-prizes-cash-google-chrome-0-days-012312/