To infinity and beyond! Unimaginably large bug-hunting prize fund announced by Google

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

For the past few years, Google has been holding an annual bug-hunting competition – known as Pwnium – to encourage vulnerability researchers to find security holes in Chrome OS and the Chrome browser.

Google took advantage of the fact that many of the world’s leading bug hunters were already meeting at the CanSecWest security conference in Vancouver to compete in Pwn2Own (a separate bug-hunting competition) to run their own, separate Chrome-specific contest that offered up to $60,000 for working exploits.

But now, Google has announced that Pwnium, as we know it, is no more.

But fear not – because like a phoenix a brand new version of Pwnium is rising from the ashes. Huzzah!

Sign up to our free newsletter.
Security news, advice, and tips.

Instead of being just one day in Vancouver, the competition will now take place all year round, and worldwide. In other words, no need to get yourself a plane ticket at the right time of year for British Columbia.

There are other good reasons for the competition to be non-location-specific and 365-days-a-year according to Tim Willis of the Chrome Security team:

At Pwnium competitions, a security researcher would need to have a bug chain in March, pre-register, have a physical presence at the competition location and hopefully get a good timeslot. Under the new scheme, security researchers can submit their bugs year-round through the Chrome Vulnerability Reward Program (VRP) whenever they find them.

Furthermore, Google hopes, this new approach will make it less likely that bug hunters will wait until the contest is held before revealing the vulnerability they have found:

If a security researcher was to discover a Pwnium-quality bug chain today, it’s highly likely that they would wait until the contest to report it to get a cash reward. This is a bad scenario for all parties. It’s bad for us because the bug doesn’t get fixed immediately and our users are left at risk. It’s bad for them as they run the real risk of a bug collision. By allowing security researchers to submit bugs all year-round, collisions are significantly less likely and security researchers aren’t duplicating their efforts on the same bugs.

Finding bugs in Chromium (the open source basis of Chrome) and Chrome OS is important of course, because of the rising tide of attackers attempting to exploit internet-enabled systems to steal information and plant malware on vulnerable computers. And as Chrome is the most popular web browser on the planet now, patching it promptly for newly-discovered vulnerabilities is important.

Google is clearly keen to be seen as taking Chrome security seriously, and has announced that it will be investing more money into the competition prize fund than ever before. Last year, at CanSecWest they put $2.71828 million on the table (that being the mathematical constant e, of course).

But for the new, improved, year-round Pwnium, Google has announced it will be offering up to $∞ million in the rewards pool.

Yes, an infinite amount of money is up for grabs!

Amusingly, in his blog post announcing the new infinite amount of cash offered, Tim Willis adds a footnote at the insistence of his legal team:

* Our lawyercats wouldn’t let me say “never-ending” or “infinity million” without adding that “this is an experimental and discretionary rewards program and Google may cancel or modify the program at any time.” Check out the reward eligibility requirements on the Chrome VRP page.

But don’t get carried away imagining that you will be walking away with an infinity-sized check from Google. The company says that the top reward for reported bugs will be raised to $50,000, on offer all year round.

Let’s hope that more researchers are encouraged by the money on offer to divulge any vulnerabilities they find in Chrome, Chrome OS and Chromium directly to Google, rather than selling them to criminals and intelligence agencies who have less of an interest in Google fixing them.

This article originally appeared on the Optimal Security blog.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.