Google has never been stingy when it comes to paying for information about security vulnerabilities in its products. Now it’s offering an especially large–and especially nerdy–sum of money.
At its third Pwnium hacking competition in Vancouver in March, the company is ponying up a total of $3.14159 million in prizes for hackers who can demonstrate critical security vulnerabilities in its Chrome OS operating system running on a Samsung Series 5 550 Chromebook,
operating system running on a Samsung Series 5 550 Chromebook, according to a notice posted Monday on its Chromium blog. Any participant who can take over a Chromebook user’s browser or entire computer via a malicious Web page can earn a $110,000 payout. And if the hacker can maintain persistent control over the system between reboots of the machine, he or she can win $150,000.
Those prizes are a significant bump over Google’s already generous rewards for hackers who demonstrate flaws in its products and share information to help fix them. Though the total, pi-sized bounty is mostly a marketing gimmick–Google has only ended up paying out a few hundred thousand dollars of its $1 and $2 million dollar total offerings in previous Pwniums contests–its $150,000 reward is $90,000 more than it’s offered in the past for any single hack.
Correction: A previous version of this story stated that the reward was $30,000 more than Google had offered for a single hacking technique in the past. In fact, its maximum payout was $60,000 for a successful Chrome exploit.
Google’s decision to focus the contest on Chrome OS this year also marks a change from previous contests, when it instead asked hackers to target its Chrome browser. The company’s big bounties levied at Chrome OS may be designed to put the security community’s spotlight on its Web-based operating system, which has generally been lauded for its rigorous defenses against hackers but hasn’t seen anywhere near the same level of adoption as the search giant’s popular browser.
“We believe these larger rewards reflect the additional challenge involved with tackling the security defenses of Chrome OS, compared to traditional operating systems,” the company’s blog post reads.
Despite those impressive bounties, security researchers have pointed out in recent years that they can earn far more by keeping exploits secret and selling them to government agency customers, who use them for offensive hacking and surveillance as opposed to the vendors’ intention of using the information to better secure their products. Chaouki Bekrar, the chief executive of the French exploit-selling firm Vupen told me last year that he wouldn’t give Google information about a technique for hacking Chrome for even $1 million. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers,” Bekrar said at the time.
Nonetheless, a few hackers have been eager to take Google’s rewards rather than sell their techniques on the more lucrative grey market. Russian university student Sergey Glazunov and the pseudonymous hacker Pinkie Pie have claimed $60,000 and $120,000 rewards from Google for hacking Chrome in the last two Pwniums.
If nothing else, Google’s $3.14159 million prize gives the company another chance to publicly express its love of extremely geeky numbers. Aside from the company’s name and that of its headquarters, Google has also long offered $3,1337 to hackers who reported especially impressive bugs in its software, a spelling of “elite” in hackers’ number-for-letters “leetspeak” jargon. And when the telecom giant Nortel auctioned off a collection of patents in 2011, Googleput in bids for values like $1,902,160,540 and $2,614,972,128, representing obscure mathematical constants related to reciprocal prime numbers. At other points in the bidding the company offered a dollar value representing the distance between the Earth and the Sun and, later, pi billion dollars. It lost the auction.