Pwn2Own Host Responds to Google's Departure

Google recently offered up to $1 million in prize money at CanSecWest for those who could exploit the Chrome web browser using all-Chrome bugs or a combo of OS and Chrome bugs. Google also offers cash for participants who uncover exploits that could endanger web browsing altogether, not just with Google's browser. The company said the competition is separate from Pwn2Own, the latter of which Google decided not to sponsor this year.

"Originally, our plan was to sponsor as part of this year’s Pwn2Own competition," the Google Chrome Security team said on Monday. "Unfortunately, we decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits (or even all of the bugs used!) to vendors. Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome."

After we posted the news article, HP DVLabs, the company hosting the Pwn2Own contest, said there’s been some confusion created by Google’s decision to create its own event versus sponsoring HP DVLabs’ Pwn2Own competition. The company also responded to Google's claim about contestants not having to reveal full exploits to vendors.

"Affected vendors always receive full details for vulnerabilities discovered by winners of the Pwn2Own contest – this is a key benefit for the vendor community," the company told Tom's. "HP DVLabs analyzes each vulnerability it receives to determine the root problem, severity of the vulnerability, and its susceptibility to attack to help vendors assess the risks and deal with mitigating them."

Pwn2Own contestants will have access to a total "purse" of $105,000 this year, spread over three prizes for vulnerabilities discovered in Firefox, Internet Explorer, Safari and Chrome. HP DVLabs says that Google’s withdrawal only removes the additional $20,000 they had offered up for vulnerabilities in its Chrome browser.

"While Google has opted to go it alone to run its own security contest, HP doesn't necessarily see Google's move as undermining the Pwn2Own 2012 event," the company said. "Very few vendors have the expertise, time, or capital to manage security analysis of the type that [parent company] HP TippingPoint does at Pwn2Own and as part of ZDI.Vulnerabilities are increasing in complexity and until vendors significantly invest in creating a thriving security research team within their own organization, they will rely on contests like Pwn2Own that can cut through the clutter and identify vulnerabilities based on risk."

HP DVLabs has successfully hosted the Pwn2Own contest through the Zero Day Initiative (ZDI) since 2007, and will continue as planned during the conference next week, the company said. Those that aren’t winners of Pwn2Own are encouraged to submit their "vulns" for disclosure through the HP DVLabs Zero Day Initiative.

About the author
This thread is closed for comments
9 comments
    Top Comments
  • I suspect that, although HP DVlabs DOES turn over vulnerabilities, Google wants there to be a contractual obligation to. In the legal world, there's a huge difference. Google's sole purpose of sponsoring such a competition is to uncover security flaws. I doubt an accounting controller at Google would say "Yes, let's put up $1 mil in reward money to hope that person gives us the vulnerability details out of their own free will". It doesn't seem as much like a mix-up as it does safe business practices.
    14
  • Other Comments
  • Seems like they could have made a 30 second phone call and cleared up the nondisclosure miscommunication. I would guess either google has a different reason, or the event changed their stance, after this went down.
    8
  • I suspect that, although HP DVlabs DOES turn over vulnerabilities, Google wants there to be a contractual obligation to. In the legal world, there's a huge difference. Google's sole purpose of sponsoring such a competition is to uncover security flaws. I doubt an accounting controller at Google would say "Yes, let's put up $1 mil in reward money to hope that person gives us the vulnerability details out of their own free will". It doesn't seem as much like a mix-up as it does safe business practices.
    14