As you may have heard, Google has withdrawn sponsorship of this year's Pwn2Own contest. They have also announced their plans for a similar contest focused solely on their products. We'd like to clarify why this has occurred and reiterate the reasoning behind why the Pwn2Own contest is designed the way it is.
Background on Pwn2Own
For those unfamiliar with the history behind the Zero Day Initiative's Pwn2Own, it is an exercise in browser exploitation scenarios that has been featured at the CanSecWest conference since 2007. Throughout its lifetime, the competition has unearthed and responsibly disclosed:
- 1 Flash player vulnerability (2007)
- 1 Safari and 1 Flash vulnerability (2008)
- 2 Safari, 1 Internet Explorer, and 1 Firefox vulnerability (2009)
- 2 Safari, 2 Internet Explorer, and 1 Firefox vulnerability (2010)
- 1 Safari as well as 2 Mobile Safari bugs, and 1 Internet Explorer vulnerability (2011)
The point of Pwn2Own has always been to encourage the responsible disclosure of vulnerabilities. We re-architect the competition every year in order to most closely match what we believe to be the value of such vulnerabilities so as to encourage participation. To that end, this year we announced we are putting $105,000 up for grabs.
Bug Bounty Programs and Pwn2Own Sponsorship
When Google approached us last year to sponsor Pwn2Own, we gladly accepted. In our opinion, this was a vendor stepping forward to help the ZDI improve the security of the users of these browsers (well, specifically Chrome with regard to the Google sponsorship). We've been at the vulnerability purchasing table for quite some time and we'd like to think we know a thing or two about the landscape... if you will. We were happy to see that recently Google stepped up and launched their own bounty program in November of 2010. Since then, they have paid out $410,000 total to those who have submitted vulnerabilities in their products.
When we said we've got some experience in this area, it's because The Zero Day Initiative has paid out over $5,600,000 since its inception in 2005. Not only have we paid researchers for vulnerabilities affecting web browsers, but we've responsibly disclosed more than 1000 bugs in operating systems, enterprise products, instant messaging clients, SCADA applications, media players, and much more software people use and rely upon every day--and we give it to the affected vendors to fix for free. When Google announced their own bounty program, we approached them asking if they would be willing to pass on their bounties to our ZDI researchers for any Google-related vulnerabilities we were currently reporting. Unfortunately, our request was turned down.
However, we take what we can get; we've been giving these vulnerabilities to vendors for free for over 7 years. That's why when Google approached us to sponsor Pwn2Own 2012, we, once again, gladly accepted. Now, here was where things got a bit muddled.
Value of Vulnerabilities
When it comes to vulnerabilities affecting modern day browsers, there are two main categories: code execution and post-exploitation bypasses (sandbox escapes). It's important to understand the difference as it relates directly to their economic value. Code execution vulnerabilities are the type of bugs that the ZDI is willing to pay for. Without one of these, the second type of vulnerability is neutered. The prices the Pwn2Own contest offers are meant to reflect the value of these types of vulnerabilities.
The second type of vulnerability only applies to browsers that implement what we will refer to as a post-exploitation mitigation. These include Microsoft Internet Explorer's Protected Mode, Apple's App Sandbox, and Google Chrome's Chromium Sandbox. A vulnerability that takes advantage of a flaw in one of these mitigations is commonly referred to as a sandbox escape. These escapes are worth a lot more to a potential competitor than the first type of vulnerability discussed. This is mainly due to the fact that they are rare. As such, we strongly believe that those considering participating in Pwn2Own would not do so without a considerable reward. In fact, we don't believe that even the entirety of the $105,000 we are offering would be considered an acceptable bounty for an escape to those who have them. This brings us to our point of contention with Google. Pwn2Own has never required that contestants give up such sandbox escapes. We do require that they demonstrate them, in order to verify that they did indeed "hack" the target, but we have never required they disclose the escape to us or the vendor. The reason we do not do so is because our goal is to get as many vulnerabilities fixed through the contest as possible. This may sound contradictory, but it is not. If Pwn2Own required the sandbox escape be disclosed, we believe there would be no competitors targeting Chrome, which means that no Chrome code execution vulnerabilities would be fixed through the contest at all. However, by not requiring that the escape be disclosed, we believe we will have success in getting code execution vulnerabilities fixed and, in the end, providing the details responsibly to vendors (again, for free) so that they may fix their products.
Due to our disagreement about the best way to get the most vulnerabilities fixed, Google has withdrawn sponsorship of Pwn2Own. We understand their reasons for doing so: they want to be able to receive the sandbox escape details to improve the security of their product. That is why they launched Pwnium. What we believe they fail to realize is that, for the $60,000 they are offering, it is incredibly unlikely that anyone will participate. For example, a quote from a prior Pwn2Own winner: https://twitter.com/#!/VUPEN: "Google canceled its sponsorship of #pwn2own and launched its own #pwnium. To win, report your sophisticated exploit. We're not interested!".
Media Coverage and Sensationalism
The fact, though hard to substantiate, is that a sophisticated sandbox-escape exploit could likely fetch a great deal more that $60,000 on the open market. Whether or not you agree with that estimation, it is fair to say that a sophisticated sandbox-escape exploit could certainly wreak more than $60,000 worth of damage in the enterprise space. That is why such an exploit against Chrome will never see the light of day at CanSecWest. Instead, the grand Google prize will go unclaimed and the great takeaway from Pwnium will be that Google Chrome is unhackable - even when 1 million dollars are at stake. Which is a shame, because that kind of sensationalism will not advance the state of browser security at all. In fact, it may just set us back a few years.
Regardless of who is paying, we look forward to the results of both competitions and we hope to be able to continue to improve the safety of end users through the Pwn2Own contest. We will be providing real-time updates as the contest progresses from the official official Pwn2Own Twitter account.
The Zero Day Initiative Team