Sign in with
Sign up | Sign in

Pwn2Own Host Responds to Google's Departure

By - Source: HP DVlabs Email | B 9 comments

The host of Pwn2Own has responded to Google's decision to pull out of the 2012 competition and offer its own cash prizes for Chrome hacks.

Google recently offered up to $1 million in prize money at CanSecWest for those who could exploit the Chrome web browser using all-Chrome bugs or a combo of OS and Chrome bugs. Google also offers cash for participants who uncover exploits that could endanger web browsing altogether, not just with Google's browser. The company said the competition is separate from Pwn2Own, the latter of which Google decided not to sponsor this year.

"Originally, our plan was to sponsor as part of this year’s Pwn2Own competition," the Google Chrome Security team said on Monday. "Unfortunately, we decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits (or even all of the bugs used!) to vendors. Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome."

After we posted the news article, HP DVLabs, the company hosting the Pwn2Own contest, said there’s been some confusion created by Google’s decision to create its own event versus sponsoring HP DVLabs’ Pwn2Own competition. The company also responded to Google's claim about contestants not having to reveal full exploits to vendors.

"Affected vendors always receive full details for vulnerabilities discovered by winners of the Pwn2Own contest – this is a key benefit for the vendor community," the company told Tom's. "HP DVLabs analyzes each vulnerability it receives to determine the root problem, severity of the vulnerability, and its susceptibility to attack to help vendors assess the risks and deal with mitigating them."

Pwn2Own contestants will have access to a total "purse" of $105,000 this year, spread over three prizes for vulnerabilities discovered in Firefox, Internet Explorer, Safari and Chrome. HP DVLabs says that Google’s withdrawal only removes the additional $20,000 they had offered up for vulnerabilities in its Chrome browser.

"While Google has opted to go it alone to run its own security contest, HP doesn't necessarily see Google's move as undermining the Pwn2Own 2012 event," the company said. "Very few vendors have the expertise, time, or capital to manage security analysis of the type that [parent company] HP TippingPoint does at Pwn2Own and as part of ZDI.Vulnerabilities are increasing in complexity and until vendors significantly invest in creating a thriving security research team within their own organization, they will rely on contests like Pwn2Own that can cut through the clutter and identify vulnerabilities based on risk."

HP DVLabs has successfully hosted the Pwn2Own contest through the Zero Day Initiative (ZDI) since 2007, and will continue as planned during the conference next week, the company said. Those that aren’t winners of Pwn2Own are encouraged to submit their "vulns" for disclosure through the HP DVLabs Zero Day Initiative.

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
Top Comments
  • 14 Hide
    Anomalyx , March 1, 2012 9:46 PM
    I suspect that, although HP DVlabs DOES turn over vulnerabilities, Google wants there to be a contractual obligation to. In the legal world, there's a huge difference. Google's sole purpose of sponsoring such a competition is to uncover security flaws. I doubt an accounting controller at Google would say "Yes, let's put up $1 mil in reward money to hope that person gives us the vulnerability details out of their own free will". It doesn't seem as much like a mix-up as it does safe business practices.
Other Comments
  • 8 Hide
    jackbling , March 1, 2012 9:25 PM
    Seems like they could have made a 30 second phone call and cleared up the nondisclosure miscommunication. I would guess either google has a different reason, or the event changed their stance, after this went down.
  • 14 Hide
    Anomalyx , March 1, 2012 9:46 PM
    I suspect that, although HP DVlabs DOES turn over vulnerabilities, Google wants there to be a contractual obligation to. In the legal world, there's a huge difference. Google's sole purpose of sponsoring such a competition is to uncover security flaws. I doubt an accounting controller at Google would say "Yes, let's put up $1 mil in reward money to hope that person gives us the vulnerability details out of their own free will". It doesn't seem as much like a mix-up as it does safe business practices.
  • Display all 9 comments.
  • 5 Hide
    Anonymous , March 1, 2012 10:27 PM
    http://dvlabs.tippingpoint.com/blog/2012/02/29/pwn2own-and-pwnium explains all
  • 2 Hide
    slabbo , March 1, 2012 10:38 PM
    they are already doing their own version of it, so why spend more for something redundant? Seems like they are giving out more in prizes with their own anyway.
  • 2 Hide
    blazorthon , March 2, 2012 1:25 AM
    I agree with Anomalyx, it seems like Google wants contractual obligation to be given the info on the vulnerabilities because otherwise it is a risk for them. In the unlikely event of such data not being given, they would have given money to the participants yet not be given the compensation that they want.
  • 0 Hide
    santiagoanders , March 2, 2012 11:53 AM
    From the dvlabs link above: "If Pwn2Own required the sandbox escape be disclosed, we believe there would be no competitors targeting Chrome," emphasis mine.
    They say sandbox exploits are too valuable to a hacker to be rewarded with such little compensation in this competition. And they say this means that nobody would even try to target chrome for an execution exploit? Not sure I follow that logic.
  • 0 Hide
    blazorthon , March 2, 2012 12:46 PM
    santiagoandersFrom the dvlabs link above: "If Pwn2Own required the sandbox escape be disclosed, we believe there would be no competitors targeting Chrome," emphasis mine.They say sandbox exploits are too valuable to a hacker to be rewarded with such little compensation in this competition. And they say this means that nobody would even try to target chrome for an execution exploit? Not sure I follow that logic.


    I think by competitors, Google means that their actual competitors, not hackers. If not, well it makes sense, at least some sense. Google says that if they have the data for the sandbox escapes, then hackers are less likely to use the same attack against them. The hackers would need to find a different vulnerability than they found in Chrome at the competition in order to attack.unless they attacked Chrome before Google fixes the vulnerability.

    Besides, I still think that Google was referring to Mozilla, Microsoft, etc. yelling at Google about Chrome having problems with sandbox escape attacks, or something along those lines.
  • 0 Hide
    COLGeek , March 2, 2012 3:04 PM
    Since it was Google's money, they can decide how and when they will spend it. Not a big deal.
  • 0 Hide
    blazorthon , March 2, 2012 4:44 PM
    COLGeekSince it was Google's money, they can decide how and when they will spend it. Not a big deal.


    It is their money and they can spend it how they want to, but it is a big deal. Google has decided against being a part of a security competition and this changes our views of them, depending on how we think about what happened.

    This can affect how many people are using Chrome and other Google products be it an increase, or more likely, a decrease. If fewer people use Google products, then Google may need to do something about it. Google leaving Pwn2Own could have serious repercussions for the company and considering how large of an impact that Google has on the daily lives of millions, that is a big deal.

    Granted, it's unlikely that much will come of this, but to say it's no big deal is misleading nonetheless.
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter
  • add to twitter
  • add to facebook
  • ajouter un flux RSS