Goolge's Pwnium competition challenges hackers to find zero-day vulnerabilities in its Chrome OS, offering millions of dollars in return.

Google Chrome OS Pwnium
Sundar Pichai, senior vice president of Chrome at Google, announces a Samsung notebook running Google Chrome OS last May. (Credit: Reuters)

Finding zero-day vulnerabilities (previously unknown software security issues) and selling exploits built on the back of them is big business these days, with a number of companies such as Hacking Team and Finfisher coming under scrutiny for selling these cyber weapons to the highest bidder.

These powerful tools abre purchased by everyone from the affected softrware vendors themselves to government agencies and most worryingly cyber criminals.

In an attempt to circumvent these vulnerabilities getting into the hands of cyber criminals, competitions have been established offering large cash prizes to security researchers to reveal vulnerabilities they've found and share the techniques with the vendors involved.

At the CanSecWest conference taking place in Vancouver this week, two of the biggest of these competitions are taking place. The Pwn2Own competition sees security researchers challenged with cracking the likes of Internet Explorer, Java and Firefox while Google has created its own competition called Pwnium which focuses entirely on Chrome OS.

Google has set up a prize pool of over $3 million for researchers who manage to find a "browser or system level compromise in guest mode or as a logged-in user, delivered via a webpage" or a "compromise with device persistence - guest to guest with interim reboot, delivered via a webpage."

You will need to pull off the attack using only a Samsung S5 550 Chromebook, running the latest version of the Chrome OS.


While the Pwn2Own and Pwnium competitions go some way to preventing vulnerabilities getting into the hands of cyber criminals, the fact remains that because a lot of vendors such as Microsoft and Google are unwilling to pay security researchers what they feel is sufficient compensation for their work, the attraction of large amounts of money from cyber criminals will remain.

Vupen, one of the companies taking part in the Pwn2Own competition, says it only sells the vulnerabilities to customers is has vetted and will only deal with governments who are NATO approved.

Questions remain however over what the tools sold to governments are used for after they are handed over. While governments may tell companies like Vupen that they will only be used to fight crime, there is nothing Vupen can do to stop governmnet agencies from using the tools to spy on citizens.

Currently there is no regulation in place in the US over who can buy or sell these cyber-weapons though there are some regulations in place in Europe.

With cyber-espionage on the rise and cybver-warfare on the horizon, vulnerabilites in popular software like Internet Explorer, Java, Flash and Firefox - along with the exploits to take advantage of it - will only become more popular and more expensive.