Skip to content
Bug. Image courtesy of Shutterstock.
Naked Security Naked Security

Google turns Pwnium into an all-year, unlimited-rewards bug-hunting contest

Google's new thinking around bug hunting: get it to us ASAP, from wherever you are.

Bug. Image courtesy of Shutterstock.Forget about that one-day CanSecWest Pwnium exploit extravaganza.

Security researchers, you can ditch the tactic of hoarding your Chrome exploits for the big day at the big security show.

From here on out, it’s all-Pwnium, all the time.

The browser-exploiting Pwnium competition is expanding from a single day competition held once a year at the Canadian security conference to a “year-round, worldwide opportunity for security researchers,” according to a post from Tim Willis of the Chrome security team.

What’s more, the payouts for bugs have no ceiling: it’s “$∞ million”, Willis said.

Willis notes that, reasonably enough, Google’s lawyers won’t allow the terms “never-ending” or “infinity million” to be attached to a public declaration alongside a dollar sign – at least, not without pointing out that “this is an experimental and discretionary rewards program and Google may cancel or modify the program at any time.”

Pwnium was born in 2012 after Google fell out with the organisers of the Pwn2Own competition at the CanSecWest conference.

Pwn2Own is the competition where researchers try to kick the shins of mainstream browsers, other popular software and gadgets, all live and all out in public, in exchange for cash and gadgets.

Google’s beef with Pwn2Own had to do with the fact that the competition’s 2012 terms allowed winners to be paid out prize money even if they kept the vulnerabilities to themselves after the competition.

As Naked Security’s Paul Ducklin described the situation a few years back, Google felt that the prize money should be contingent on responsible disclosure, where any prizewinning vulnerabilities would be given to the makers of the pwned browsers, together with a reasonable time to fix them.

Thus, from Google’s dissatisfaction was born a new competition, Pwnium, named after the two main flavours of Google’s own browser, Chrome and Chromium.

The problem with a Pwnium that’s held on just one day, tied to just one show, is that it puts up a lot of roadblocks to entry, Willis said:

At Pwnium competitions, a security researcher would need to have a bug chain in March, pre-register, have a physical presence at the competition location and hopefully get a good timeslot. Under the new scheme, security researchers can submit their bugs year-round through the Chrome Vulnerability Reward Program (VRP) whenever they find them.

Beyond making the competition available worldwide, he said that the scheme to make it year-round will shorten the time between bug discovery and reporting:

If a security researcher was to discover a Pwnium-quality bug chain today, it’s highly likely that they would wait until the contest to report it to get a cash reward. This is a bad scenario for all parties. It’s bad for us because the bug doesn’t get fixed immediately and our users are left at risk. It’s bad for them as they run the real risk of a bug collision. By allowing security researchers to submit bugs all year-round, collisions are significantly less likely and security researchers aren’t duplicating their efforts on the same bugs.

Google will be adding Pwnium-style bug chains on Chrome OS to the Chrome Vulnerability Rewards (VRP) Program. The top reward will be pushed up to $50,000, on offer all year-round.

Image of bug courtesy of Shutterstock.


I think this year round Pwnium is an excellent idea. It encourages the submission of security flaws to Google as they are discovered rather than being held back. This should benefit us all.

It will be interesting to see how this refine bug bounty program works out. Thanks.


Google’s beef with Pwn2Own had to do with “the fact” that the competition’s 2012 terms allowed winners to be paid out prize money even if they kept the vulnerabilities to themselves after the competition.

That is false. Google’s beef was that Pwn2Own is a vulnerability acquisition competition. Not an exploit acquisition competition. All vulnerabilities were acquired by the ZDI and responsibly disclosed to the vendor for fixing. Google wanted the exploit technique as well, which was not part of the competition, and way more valuable than they were willing to pay. Exploits used in Pwn2Own are only required to show the validity/exploitability of a vulnerability.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!