Google takes a unique approach when it comes to searching for exploits in Chrome. Instead of only utilizing in-house resources to find these potential threats, Google uses hacking competitions. At the company’s second sponsored Pwnium hacking competition a potential security issue was unveiled that earned one enterprising hacker a $60,000 payout.
The winner of this reward was goes by the alias “Pinkie Pie”, a reference to the show My Little Ponies. This isn’t the first time Google has paid this particular hacker, either. Pinkie Pie was also present at the first Pwnium event earlier this year.
This most recent exploit utilized a Webkit Scalable Vector Graphics (SVG) security compromise. This made it possible to render yet another bug in the IPC layer. The end result was the ability to break free of Chrome’s sandbox, which is designed to prevent hackers from causing further damage to the browser or even the user’s computer.
The starting reward for verifiable Chrome hacks is a payment of $20,000, and it goes up from there. Since this particular hack relied entirely on existing bugs in Chrome for its execution it is classified as a “full Chrome exploit”. This type of exploit commands the highest payout given. For the young hacker this means a $60,000 cash prize, alongside a brand new Chromebook.
Not surprisingly, Google responded to the exploit quickly and had a patch within 12 hours. Rewarding such massive cash values might seem like a pretty big price to pay for bug fixing, but it really isn’t. The amount of money paid to internal efforts to remove such bugs would likely cost the company at least this much, if not more. Another benefit of supporting a competition like this is that it connects Google to hackers in a positive and meaningful way. It shows Google cares about rewarding hackers who help make Chrome safer for the end-user.