Google is offering hackers a bounty of $2.7m (€2m) if they can expose flaws in the source code that powers the Chrome browser and operating system in an event they call Pwnium 4.
Attacks must be remotely triggered by a Chromebook visiting a website, and take control of some part of the system. Google will award $150,000 – at the discretion of a panel of judges – to anyone who can demonstrate a vulnerability.
Smaller rewards will be given for partial exploits, and Google says that “significant” larger bonuses could be issued for any “particularly impressive or surprising exploit”.
In order to qualify for the bounty, attacks should be conducted remotely in a “reliable” fashion and be previously unreported. The rewards will be handed out on a first-come, first-served basis until a pot of $2.718m runs out. In true Google fashion, the size of the cash pool relates to the mathematical constant e.
Google has run similar competitions before, focusing on Intel-based Chrome OS devices, but this year will give entrants the chance to work on an ARM-equipped Chromebook from HP or an Acer model with an Intel chip. All exploits must work against the latest stable version of Chrome OS.
Both Google’s Chrome browser and the Chrome OS run using open source code from the Chromium project. The Chromium code can be built as-is on many operating systems, with Google adding Flash, PDF and a print preview system before releasing it as Chrome.
Google software engineer Jorge Lucángeli Obes said in a blog post: “Security is a core tenet of Chromium, which is why we hold regular competitions to learn from security researchers. Contests like Pwnium help us make Chromium even more secure.”
Google last year offered $3.14m - a nod to the numerical constant pi - at Pwnium 3 but paid out just $40,000 for a "partial" exploit. Entrant "Pinkie Pie" found a bug involving video parsing, a Linux kernel bug and a config file error.
Chris Evans, chief reward officer at Google, said at the time in a blog post: "we’d like to thank Pinkie Pie for honoring the spirit of the competition by disclosing a partial exploit at the deadline, rather than holding on to bugs in lieu of an end-to-end exploit. This means that we can find fixes sooner, target new hardening measures and keep users safe."