Just ten days after pledging $1 million to hackers able to exploit Chrome, Google’s been forced to put its hand in its pocket.
Last month, it announced that it was launching its own security competition, to run alongside the Pwn2Own contest at the CanSecWest conference.
And now, Russian student Sergey Glazunov has netted himself $60,000 by discovering a new exploit that allowed him to break out of Chrome’s ‘sandbox’ – thus allowing him to take control of a Windows 7 system.
“Congrats to long-time Chromium contributor Sergey Glazunov who just submitted our first Pwnium entry. Looks like it qualifies as a ‘Full Chrome’ exploit, qualifying for a $60k reward,” says senior vice president in charge of Chrome and Google Apps Sundar Pichai on a company blog.
“We’re working fast on a fix that we’ll push via auto-update. This is exciting; we launched Pwnium this year to encourage the security community to submit exploits for us to help make the web safer. We look forward to any additional submissions to make Chrome even stronger for our users.”
Meanwhile, at the Pwn2Own event, Chrome was hacked for a second time – indeed, the researchers, from security firm Vupen, managed it in the first five minutes. They say they have new exploits for Internet Explorer, Safari, and Firefox, too.
Since launching its new bug reward program last November, Google’s paid out over $410,000 in bounties. And while the latest exploits strip Chrome of its reputation for being ‘unhackable’, the company says it’s pleased by the result.
“Google has gotten better and stronger as a result of this work. We get more bug reports, which means we get more bug fixes, which means a safer experience for our users,” says technical program manager Adam Mein.