Google Expands Pwnium Year Round With Infinite Bounty


There are various bug bounty programs, with Google being one of the forerunners in the field – Twitter was late to the party just joining in September 2014.

The latest development is that Google is stopping the annual Pwnium hack fest aimed at the Chromium project to stop bug hoarding, which makes Pwnium essentially a never ending hack-fest that anyone can submit to at any time.

Google Expands Pwnium Year Round With Infinite Bounty

Which makes sense for Google really, they get the bugs faster – with the chances that multiple people have spotted the same bugs (including the blackhat market), the sooner they fix stuff the better.

Google is vastly expanding its popular annual Pwnium hack fest, by allowing hackers to vie try for limitless amounts of cash every day of the year. The contest was previously held once a year at the CanSecWest conference in Canada, with millions in cash on offer to hackers who can take the shine off its Chromium project.

The Choc factory now wants hackers to submit their bad bugs and exploit code as soon as it surfaces, rather than hold it off for the one-day event. Chrome security hacker philanthropist Tim Willis says the “never-ending Pwnium” will cut down barriers for entry and incentives for bug hoarding.

“We’ve received some great entries over the years, but it’s time for something bigger,” Willis says. “Starting today, Pwnium will change its scope significantly, from a single-day competition held once a year at a security conference to a year round, worldwide opportunity for security researchers.


It seems like Google is willing to invest quite a lot of money in this, and the security of the browser. Also they’re probably banking on the fact most of the major bugs have already been found and paid out on – so they shouldn’t take too much of a hit.

And they can pay out over the year, rather than all on one day. Hey who am I kidding, they have more money than the GDP of many small countires – this is nothing to them.

“For those who are interested in what this means for the Pwnium rewards pool, we crunched the numbers and the results are in: it now goes all the way up to $∞ million.”

That infinity million was grounded by the top reward for any one bug being US$50,000, the lowest offering US$500. He says hackers with “Pwnium-quality” bug chains would likely hoard the report to claim a cash reward at the risk that code changes may require them to rework their efforts. Hackers too requested that they be able to report whenever they like through the Chrome Vulnerability Reward Program, Willis said.

Willis did not specifically rule out the one day CanSecWest contest although it appeared likely.

The infinite dollars is not for one bug though, it’s a theoretical amount if you discovered infinite different bugs in Chrome, you could get that much (with a cap at $50,000 maximum bounty for each single bug).

With the lowest being $500, that means for a mid-range bug you could be looking at a decent sum of money, worth a crack if it’s up your street skillset wise.

Source: The Register

Posted in: Exploits/Vulnerabilities

, ,


Latest Posts:


dSploit APK Download - Hacking & Security Toolkit For Android dSploit APK Download – Hacking & Security Toolkit For Android
dSploit APK Download is a Hacking & Security Toolkit For Android which can conduct network analysis and penetration testing activities.
Scallion - GPU Based Onion Hash Generator Scallion – GPU Based Onion Hash Generator
Scallion is a GPU-driven Onion Hash Generator written in C#, it lets you create vanity GPG keys and .onion addresses (for Tor's hidden services).
WiFi-Dumper - Dump WiFi Profiles and Cleartext Passwords WiFi-Dumper – Dump WiFi Profiles and Cleartext Passwords
WiFi-Dumper is an open-source Python-based tool to dump WiFi profiles and cleartext passwords of the connected access points on a Windows machine.
truffleHog - Search Git for High Entropy Strings with Commit History truffleHog – Search Git for High Entropy Strings with Commit History
truffleHog is a Python-based tool to search Git for high entropy strings, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.
AIEngine - AI-driven Network Intrusion Detection System AIEngine – AI-driven Network Intrusion Detection System
AIEngine is a next-generation interactive/programmable Python/Ruby/Java/Lua and Go AI-driven Network Intrusion Detection System engine with many capabilities.
Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.


2 Responses to Google Expands Pwnium Year Round With Infinite Bounty

  1. Suraj Salunkhe March 11, 2015 at 6:26 pm #

    It’s quite good program to encourage the tester and improve the quality of product.Can you tell me how can I submit the bug to pwnium. You haven’t shared link for reporting bug or the procedure.