To walk off with Google's $20,000 on Pwn2Own's first day, a researcher must find and exploit two vulnerabilities in Google's code. Only on the second and third days of the contest can researchers employ a non-Chrome bug, say one in Windows, to break out of the sandbox. A successful attack on the second and third days will still put $20,000 in the researcher's pocket, but only $10,000 of that will come from Google; TippingPoint will pony up the other $10,000.
Google's participation in this year's Pwn2Own may be a mark of its confidence that Chrome can't be hacked. Although Chrome has been one of the browser targets at Pwn2Own since 2009, no researcher has exploited the browser and grabbed the cash.
IE, Firefox and Safari have fallen to attackers each of the last two years, sometimes in an embarrassingly short amount of time. In 2009, one researcher -- a German computer science major who gave only his first name, Nils -- hit the trifecta by exploiting all three browsers and taking home $15,000 total, $5,000 for each hack.
Charlie Miller, the only researcher to have won Pwn2Own prizes three consecutive years, wouldn't commit last week to trying again, but on Wednesday he noticed the $20,000 for Chrome.
"Pwn2own now offering 20k for attack on Chrome," said Miller on Twitter . "Must be hard, glad Mac OS X doesn't sandbox their browser."
Miller is a Mac hacking authority -- he co-authored The Mac Hacker's Handbook with Dino Dai Zovi, a 2007 Pwn2Own winner -- and has exploited Safari each of the last three years. As he pointed out, Safari is not sandboxed.
TippingPoint will also run a mobile hacking track at Pwn2Own next month that will let researchers try to exploit smartphones running Apple 's iOS, Google's Android, Microsoft 's Windows 7 Phone and RIM's BlackBerry OS.
Successful smartphone attacks will be awarded $15,000.