Pwn2Own Host Responds to Google's Departure

[exfileme]

The host of Pwn2Own has responded to Google's decision to pull out of the 2012 competition and offer its own cash prizes for Chrome hacks.

Pwn2Own Host Responds to Google's Departure : Read more

 

[jackbling]

Seems like they could have made a 30 second phone call and cleared up the nondisclosure miscommunication. I would guess either google has a different reason, or the event changed their stance, after this went down.

 

[Anomalyx]

I suspect that, although HP DVlabs DOES turn over vulnerabilities, Google wants there to be a contractual obligation to. In the legal world, there's a huge difference. Google's sole purpose of sponsoring such a competition is to uncover security flaws. I doubt an accounting controller at Google would say "Yes, let's put up $1 mil in reward money to hope that person gives us the vulnerability details out of their own free will". It doesn't seem as much like a mix-up as it does safe business practices.

 

[Guest]

http://dvlabs.tippingpoint.com/blog/2012/02/29/pwn2own-and-pwnium explains all

 

[slabbo]

they are already doing their own version of it, so why spend more for something redundant? Seems like they are giving out more in prizes with their own anyway.

 

[blazorthon]

I agree with Anomalyx, it seems like Google wants contractual obligation to be given the info on the vulnerabilities because otherwise it is a risk for them. In the unlikely event of such data not being given, they would have given money to the participants yet not be given the compensation that they want.

 

[santiagoanders]

From the dvlabs link above: "If Pwn2Own required the sandbox escape be disclosed, we believe there would be no competitors targeting Chrome," emphasis mine.
They say sandbox exploits are too valuable to a hacker to be rewarded with such little compensation in this competition. And they say this means that nobody would even try to target chrome for an execution exploit? Not sure I follow that logic.

 

[blazorthon]

[citation][nom]santiagoanders[/nom]From the dvlabs link above: "If Pwn2Own required the sandbox escape be disclosed, we believe there would be no competitors targeting Chrome," emphasis mine.They say sandbox exploits are too valuable to a hacker to be rewarded with such little compensation in this competition. And they say this means that nobody would even try to target chrome for an execution exploit? Not sure I follow that logic.[/citation]

I think by competitors, Google means that their actual competitors, not hackers. If not, well it makes sense, at least some sense. Google says that if they have the data for the sandbox escapes, then hackers are less likely to use the same attack against them. The hackers would need to find a different vulnerability than they found in Chrome at the competition in order to attack.unless they attacked Chrome before Google fixes the vulnerability.

Besides, I still think that Google was referring to Mozilla, Microsoft, etc. yelling at Google about Chrome having problems with sandbox escape attacks, or something along those lines.

 

[COLGeek]

Since it was Google's money, they can decide how and when they will spend it. Not a big deal.

 

[blazorthon]

[citation][nom]COLGeek[/nom]Since it was Google's money, they can decide how and when they will spend it. Not a big deal.[/citation]

It is their money and they can spend it how they want to, but it is a big deal. Google has decided against being a part of a security competition and this changes our views of them, depending on how we think about what happened.

This can affect how many people are using Chrome and other Google products be it an increase, or more likely, a decrease. If fewer people use Google products, then Google may need to do something about it. Google leaving Pwn2Own could have serious repercussions for the company and considering how large of an impact that Google has on the daily lives of millions, that is a big deal.

Granted, it's unlikely that much will come of this, but to say it's no big deal is misleading nonetheless.