Google Expands Pwnium Year Round With Infinite Bounty

The New Acunetix V12 Engine


There are various bug bounty programs, with Google being one of the forerunners in the field – Twitter was late to the party just joining in September 2014.

The latest development is that Google is stopping the annual Pwnium hack fest aimed at the Chromium project to stop bug hoarding, which makes Pwnium essentially a never ending hack-fest that anyone can submit to at any time.

Google Expands Pwnium Year Round With Infinite Bounty

Which makes sense for Google really, they get the bugs faster – with the chances that multiple people have spotted the same bugs (including the blackhat market), the sooner they fix stuff the better.

Google is vastly expanding its popular annual Pwnium hack fest, by allowing hackers to vie try for limitless amounts of cash every day of the year. The contest was previously held once a year at the CanSecWest conference in Canada, with millions in cash on offer to hackers who can take the shine off its Chromium project.

The Choc factory now wants hackers to submit their bad bugs and exploit code as soon as it surfaces, rather than hold it off for the one-day event. Chrome security hacker philanthropist Tim Willis says the “never-ending Pwnium” will cut down barriers for entry and incentives for bug hoarding.

“We’ve received some great entries over the years, but it’s time for something bigger,” Willis says. “Starting today, Pwnium will change its scope significantly, from a single-day competition held once a year at a security conference to a year round, worldwide opportunity for security researchers.


It seems like Google is willing to invest quite a lot of money in this, and the security of the browser. Also they’re probably banking on the fact most of the major bugs have already been found and paid out on – so they shouldn’t take too much of a hit.

And they can pay out over the year, rather than all on one day. Hey who am I kidding, they have more money than the GDP of many small countires – this is nothing to them.

“For those who are interested in what this means for the Pwnium rewards pool, we crunched the numbers and the results are in: it now goes all the way up to $∞ million.”

That infinity million was grounded by the top reward for any one bug being US$50,000, the lowest offering US$500. He says hackers with “Pwnium-quality” bug chains would likely hoard the report to claim a cash reward at the risk that code changes may require them to rework their efforts. Hackers too requested that they be able to report whenever they like through the Chrome Vulnerability Reward Program, Willis said.

Willis did not specifically rule out the one day CanSecWest contest although it appeared likely.

The infinite dollars is not for one bug though, it’s a theoretical amount if you discovered infinite different bugs in Chrome, you could get that much (with a cap at $50,000 maximum bounty for each single bug).

With the lowest being $500, that means for a mid-range bug you could be looking at a decent sum of money, worth a crack if it’s up your street skillset wise.

Source: The Register

Posted in: Exploits/Vulnerabilities

, ,


Latest Posts:


Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.
testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.
Four Year Old libSSH Bug Leaves Servers Wide Open Four Year Old libssh Bug Leaves Servers Wide Open
A fairly serious 4-year old libssh bug has left servers vulnerable to remote compromise, fortunately, the attack surface isn't that big as neither OpenSSH or the GitHub implementation are affected.
CHIPSEC - Platform Security Assessment Framework CHIPSEC – Platform Security Assessment Framework For Firmware Hacking
CHIPSEC is a platform security assessment framework for PCs including hardware, system firmware (BIOS/UEFI), and platform components for firmware hacking.


2 Responses to Google Expands Pwnium Year Round With Infinite Bounty

  1. Suraj Salunkhe March 11, 2015 at 6:26 pm #

    It’s quite good program to encourage the tester and improve the quality of product.Can you tell me how can I submit the bug to pwnium. You haven’t shared link for reporting bug or the procedure.