The Vancouver-based CanSecWest conference plays host to two hacking competitions this year instead of one, following a disagreement between Google and security firm Tipping Point
Google was slated to take part in Pwn2Own
, which is the contest sponsored by Tipping Point's Zero Day Initiative
. Researchers in this contest - which offers a total of $105,000 in prizes - present exploits that highlight vulnerabilities in the product. Tipping Point can then pay for details of those vulnerabilities, so that they can be patched. Google originally offered $20,000 in prizes to researchers exposing flaws in Chrome.
However, the search giant pulled out and began its own contest, called Pwnium, for researchers targeting its Chrome browser. The company upped its bounty for details of successful zero-day exploits to $60,000.
Google disagreed with Tipping Point over a particular type of exploit particularly relevant to Chrome: sandbox escapes. These occur when a hacker breaks the virtual sandbox that keeps a system safe from an exploit. Google requires researchers to reveal full details of their successful exploit, whereas Tipping Point only requires them to reveal details of the vulnerability that it used, so that it can code a protection in its own IDS product.
"Full exploits have been handed over in previous years, but it's an explicit non-requirement in this year's contest, and that's worrisome," said Google."Sandbox escapes are rare
," said Tipping Point in a blog post on the issue. "For the $60,000 they are offering, it is incredibly unlikely that anyone will participate."
The two competitions run from March 7-9.