Google is scrapping its annual Pwnium bug-hunting contest for Google Chrome and Chrome OS and adding it to its year-round program designed to encourage developers to hunt down and notify Google of any bugs.
Pwnium was a part of Pwn2Own and was held annually at CanSecWest, which is a security conference that is held in Vancouver.
"Starting today, Pwnium will change its scope significantly, from a single-day competition held once a year at a security conference to a year round, worldwide opportunity for security researchers," said Google in a blog post on its security blog. "For those who are interested in what this means for the Pwnium rewards pool, we crunched the numbers and the results are in: it now goes all the way up to $∞ million*."
Single awards for finding a bug will range from $500 all the way to $50,000, and as mentioned the reward pool is unlimited. Users who find bugs in Chrome, Chrome OS, or any other Chrome products can submit them using the Chrome Reward Program, which has been around since 2010.
The change should better security across all Chrome products by a lot. While Chrome has never been particularly bad at security, keeping security air-tight has become more important for large tech firms over the past few years, as hacks and bugs become increasingly expensive and scary for users. The new program will also reduce the risk that two researchers will submit the same bug, as vulnerabilities can be submitted at any time.
"If a security researcher was to discover a Pwnium-quality bug chain today, it's highly likely that they would wait until the contest to report it to get a cash reward. This is a bad scenario for all parties," continued Google. "It's bad for us because the bug doesn't get fixed immediately and our users are left at risk. It's bad for them as they run the real risk of a bug collision. By allowing security researchers to submit bugs all year-round, collisions are significantly less likely and security researchers aren't duplicating their efforts on the same bugs."
Pwnium has previously attracted attention because of its big rewards, with Google awarding two researchers who shows multiple vulnerabilities in Chrome OS $190,000 last year.
The new program highlights the fact that Google is serious about security and that it wants to make sure that there are as few bugs in Chrome products as possible.