One million dollars. That's how much Dr. Evil initially wanted for a stolen nuclear warhead, and it's the same amount Google plans to dole out through various rewards at the CanSecWest security conference to participants who discover full and partial Chrome exploits, as well as bugs in programs than can be a threat to Chrome. The $1 million fund is something Google is doing on its own, as the sultan of search has chosen to withdraw its participation from CanSecWest's annual Pwn2Own contest.
"Originally, our plan was to sponsor as part of this year’s Pwn2Own competition. Unfortunately, we decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits (or even all of the bugs used!) to vendors," Google explained in a blog post. "Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome."
Google said it will pay $60,000 for the discovery of full Chrome exploits (Chrome/Win 7 local OS user account persistence using only bugs in Chrome itself), $40,000 for partial Chrome exploits (Chrome/Win 7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows sandbox bug), and $20,000 as a consolation reward for bugs in Flash, Windows, and elsewhere that present a threat to the Chrome browser.
"We will issue multiple rewards per category, up to the $1 million limit, on a first-come-first-served basis," Google said.
Reward winners will also receive a Chromebook for their efforts.