“We discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits (or even all of the bugs used!) to vendors” says Google in a blog post. In previous years, full details have been handed over, but the revised rules make it “an explicit non-requirement in this year’s contest” – a change that Google calls “worrisome”. The organizers revised the rules to make the contest “more fair” and “more of a competition”.
Google says it is proud of its track record in previous contests, having not been exploited in the past, though it had patched Chrome with fixes for bugs discovered during Pwn2Own. The company says that not receiving exploit information makes it harder for them to improve the browser’s security. Google’s own reward scheme is designed to create an incentive to participants to fully disclose their exploits.
For a “Full Chrome exploit” which uses only Chrome bugs and persists in a Windows 7 local user’s account, Google will pay $60,000. A “Partial Chrome exploit”, where one bug in Chrome and other bugs are used, will pay $40,000, while a “Consolation reward”, where bugs in Flash, Windows or some other component not specific to Chrome are used, will pay $20,000. Google will pay these rewards, up to a total of a million dollars, on a first-come-first-served basis for exploits with a complete set of reliable, fully functional bugs, present in the latest versions as “genuinely 0-day”. Reward winners will also receive a ChromeBook.