Another change from last year is that researchers must provide TippingPoint with a fully-functional exploit and all the details of the vulnerability used in the attack. That's different from last year, when Google backed out because Pwn2Own did not require hackers to divulge full exploits, or all of the bugs used, so that vendors, including Google, could then fix the flaws.
The rule changes and the large infusion of cash hint that Google returned to Pwn2Own sponsorship only after it convinced TippingPoint to revise the exploit disclosure policy. Yesterday, Google declined to comment on whether it would again run a Pwnium contest at CanSecWest, but did confirm it will host its Chrome-specific challenge at some point in 2013.
But it was the cash that caught researchers' attention.
The $100,000 prize for an exploit of Chrome or IE10, for example, was 67% more than Google paid last year in its inaugural Pwnium contest, and over six times the maximum paid at Pwn2Own in 2011 for hacking a desktop browser.
The always-quotable Charlie Miller, who won prizes at Pwn2Own four years in a row -- the only "four-peat" in the contest's history -- bemoaned the high awards.
"I have to say the Pwn2Own prize money is serious," Miller said on Twitter yesterday. "I feel like a 1950's pro athlete wondering why current athletes are paid so much."
Miller, who won at Pwn2Own while a security consultant, now works for Twitter.
Others took up Miller's line of thought, with Larry Seltzer, a long-time security reporter and now the editorial director of Byte, chiming in with, "They're all using exploit-enhancing drugs these days."