the Chromium logo

The Chromium Projects

Pwnium 4


Chromium Security Reward Program

Official Rules



The Pwnium4@CanSecWest2014 Chromium Security Reward Program ("Program") is a skill contest designed to encourage involvement in improving the security of the Chromium project. Entrants submit original and unreported exploits relying on security bugs in Chrome OS including Chrome coupled with Flash / Chrome OS kernel and firmware / default apps on Chrome OS (an “Exploit”). The Exploits entrants develop will be evaluated by judges, who will award rewards to entrants who submit full and reliable Exploits (or Incomplete Exploits, as described below) with critical impact as determined in the sole discretion of the Judges.

  1. BINDING AGREEMENT: In order to enter the Program, you must agree to these Official Rules (“Rules”). Therefore, please read these Rules prior to entry to ensure you understand and agree. You agree that submission of an Exploit in the Program constitutes agreement to these Rules. You may not submit an Exploit to the Program and are not eligible to receive the rewards described in these Rules unless you agree to these Rules. These Rules form a binding legal agreement between you and Google with respect to the Program.

  2. ELIGIBILITY: To be eligible to enter the Program, you must be: (1) above the age of majority in the country, state, province or jurisdiction of residence (or at least twenty years old in Taiwan) at the time of entry; (2) not a resident of Italy, Brazil, Quebec, Cuba, Iran, Syria, North Korea, or Sudan; (3) not a person or entity under U.S. export controls or sanctions; and (4) have access to the Internet as of January 23rd, 2014. Contest is void in Italy, Brazil, Quebec, Cuba, Iran, Syria, North Korea, Sudan), and where prohibited by law.

Employees, interns, contractors, and official office-holders of Google, and their parent companies, subsidiaries, affiliates, and their respective directors, officers, employees, advertising and promotion agencies, representatives, and agents (“Program Entities”), and members of the Program Entities’ and their immediate families (parents, siblings, children, spouses, and life partners of each, regardless of where they live) and members of the households (whether related or not) of such employees, officers and directors are ineligible to participate in the Program. Google reserves the right to verify eligibility and to adjudicate on any dispute at any time.

If you are entering as part of a company or on behalf of your employer, these rules are binding on you, individually, and/or your employer. If you are acting within the scope of your employment, as an employee, contractor, or agent of another party, you warrant that such party has full knowledge of your actions and has consented thereto, including your potential receipt of a reward. You further warrant that your actions do not violate your employer’s or company’s policies and procedures.

  1. SPONSOR: The Program is sponsored by Google Inc. (“Google” or "Sponsor"), a Delaware corporation with principal place of business at 1600 Amphitheatre Parkway, Mountain View, CA, 94043, USA.

  2. PROGRAM PERIOD: The Program begins at 10:00:00 A.M. Pacific Time (PT) Zone (in Vancouver, Canada) at CanSecWest 2014 on March 12th, 2014 and ends at 12:00:00 P.M. PT on March 12th, 2014 (“Program Period”). Google may extend the Program Period in its sole discretion. ENTRANTS ARE RESPONSIBLE FOR DETERMINING THE CORRESPONDING TIME ZONE IN THEIR RESPECTIVE JURISDICTIONS.

  3. HOW TO ENTER: NO PURCHASE NECESSARY TO ENTER OR WIN. To enter the Program, register before 5:00:00 P.M. PST (Pacific Standard Time) on Monday, March 10th, 2014 by sending an email with your name to, and then visit the Google desk at CanSecWest 2014 in Vancouver, Canada during the Program Period. Entrants will be assigned a specific timeslot on March 12th, 2014 during which they may demonstrate Exploits to the Judges. Exploits must be demonstrated during entrant’s assigned time to be eligible for a reward, and must meet the “Exploit Requirements,” described below.

Entrants are entirely responsible for all costs and fees associated with entrant’s participation in the Program and attending the CanSecWest 2014, including (but not limited to) admission fees, transportation, accommodation and living costs. All entries must be received before the end of the Program Period. Entries are void if they are in whole or part illegible, incomplete, damaged, altered, counterfeit, obtained through fraud, or late. All entries will be deemed made by the authorized account holder of the email address submitted at the time of submission, and potential reward recipients may be required to show proof of being the authorized account holder for that email address. The "authorized account holder" is the natural person assigned to an email address by an Internet service provider, online service provider, or other organization responsible for assigning email address for the domain.

EXPLOIT REQUIREMENTS: The Exploit must meet the following criteria:

• Be an unreported and original exploit, which has not been shared or partially shared with anyone else or submitted in any other contests.

• Be an exploit relying on an unreported and original bug, bugs or security feature in Chrome OS, Flash or other software e.g. drivers.

• Be an attack that’s demonstrated against a base (WiFi) model of the ARM-based HP Chromebook 11, running the latest stable version of Chrome OS; or a 2GB WiFi model of the Acer C720 Intel Chromebook, running the latest stable version of Chrome OS.

• Be a remote exploit accessible through the Chrome browser, which works and is reliable.

• Be served from a password-authenticated and HTTPS-supported Google property, such as Google App Engine.

• Be present in the most recent supported channel(s) of Chrome OS.

• Be a critical vulnerability of high impact.

• Be authored or created by You.

• Be submitted with corresponding documentation that details each bug exploited.

During the Program Period, Google, its agents, and/or the Judges (defined below) will be evaluating each Exploit to ensure that it meets the Exploit Requirements. Google reserves the right, in its sole discretion, to disqualify any entrant who submits an Exploit that does not meet the Exploit Requirements.

  1. JUDGING: Each Exploit submission will be judged by a panel of experts who are employees of Google (“Judges”). Each Exploit will be evaluated by the Judges as to whether the Exploit is a critical importance vulnerability of high impact, based on the potential for persistent access to the user’s account or guest mode on the Chrome operating system.

Judges will evaluate each Exploit based upon the above criteria to determine whether it is critical impact and qualifies for a reward.

If a potential reward recipient is disqualified for any reason, the reward allocated to that recipient will be returned to the total reward pool. On or about March 17th, 2014, the potential reward recipients will be selected and notified by telephone and/or email, at Sponsor’s discretion. If a potential reward recipient does not respond to the notification attempt within five days from the first notification attempt, then such potential reward recipient may be disqualified and the allocated reward will be returned to the total reward pool. With respect to notification by telephone, such notification will be deemed given when the potential reward recipient engages in a live conversation with Sponsor or when a message is left on the potential reward recipient’s voicemail service or answering machine by the Sponsor, whichever occurs first. Except where prohibited by law, each potential reward recipient may be required to sign and return a Declaration of Eligibility and Liability and Publicity Release and provide any additional information that may be required by Sponsor. If required, potential reward recipients must return all such required documents within seven days following attempted notification or such potential reward recipient may be deemed to have forfeited the reward and the reward may be returned to the total reward pool. All notification requirements, as well as other requirements within these Rules, will be strictly enforced. In the event no Exploits are received, no rewards will be awarded. Determinations of judges are final and binding.

  1. REWARDS: Rewards for eligible Exploits will be allocated to eligible entrants on a first-come-first-served basis, based on time of submission during the Program Period specified above, until such time as the total reward pool of $2.71828 million USD is exhausted:

An entrant submitting an Exploit demonstrating a Chrome OS system-level compromise delivered via a web page and triggerable when browsing in Guest mode and affecting all subsequent Guest mode sessions across reboots (“persistent Guest-to-Guest exploit”) using bugs in Chrome OS, as determined in the sole discretion of the Judges, will receive a reward of $150,000 USD (one hundred and fifty thousand U.S. dollars).

An entrant submitting an Exploit demonstrating a Chrome browser-level compromise delivered via a web page using bugs in Chrome OS as determined in the sole discretion of the Judges, will receive a reward of $110,000 USD (one hundred and ten thousand U.S. dollars).

Google reserves the right to issue partial rewards, in its sole discretion, for partial, incomplete or unreliable Exploits. Google may also consider issuing significant bonuses for any Entrant who demonstrates a particularly impressive or surprising exploit.

Each reward recipient will also receive a Chromebook, provided such reward recipient resides in a country where Chromebooks are legally available.

Odds of winning any reward depends on the number of eligible entries received during the Program Period and the skill of the entrants. The rewards will be awarded within approximately two weeks of receipt by Sponsor of final reward acceptance documents. No transfer, substitution or cash equivalent for rewards is allowed, except at Sponsor’s sole discretion. Sponsor reserves the right to substitute a reward, in whole or in part, of equal or greater monetary value if a reward cannot be awarded, in whole or in part, as described for any reason. Value is subject to market conditions, which can fluctuate and any difference between actual market value and ARV will not be awarded. The reward(s) may be subject to restrictions and/or licenses and may require additional hardware, software, service, or maintenance to use. The reward recipient shall bear all responsibility for use of the rewards(s) in compliance with any conditions imposed by such manufacturer(s), and any additional costs associated with its use, service, or maintenance. Program Entities have not made and Program Entities are not responsible in any manner for any warranties, representations, or guarantees, express or implied, in fact or law, relating to the reward(s), regarding the use, value or enjoyment of the reward(s), including, without limitation, its quality, mechanical condition, merchantability, or fitness for a particular purpose, with the exception of any standard manufacturer's warranty that may apply to the reward or any components thereto.

  1. TAXES: PAYMENTS TO POTENTIAL REWARD RECIPIENTS ARE SUBJECT TO THE EXPRESS REQUIREMENT THAT THEY SUBMIT TO GOOGLE ALL DOCUMENTATION REQUESTED BY GOOGLE TO PERMIT IT TO COMPLY WITH ALL APPLICABLE STATE, FEDERAL, LOCAL, AND FOREIGN (INCLUDING PROVINCIAL) TAX REPORTING AND WITHHOLDING REQUIREMENTS. ALL REWARDS WILL BE NET OF ANY TAXES GOOGLE IS REQUIRED BY LAW TO WITHHOLD. ALL TAXES IMPOSED ON REWARDS ARE THE SOLE RESPONSIBILITY OF THE REWARD RECIPIENTS. In order to receive a reward, potential reward recipients must submit the tax documentation requested by Google or otherwise required by applicable law, to Google or the relevant tax authority, all as determined by applicable law, including, where relevant, the law of the potential recipient’s country of residence. The potential reward recipients are responsible for ensuring that (s)he complies with all the applicable tax laws and filing requirements. If a potential reward recipient fails to provide such documentation or comply with such laws, the reward may be forfeited and Google may, in its sole discretion, return the reward to the total reward pool.

  2. GENERAL CONDITIONS: All federal, state, provincial and local laws and regulations apply. Google reserves the right to disqualify any entrant from the Program if, in Google’s sole discretion, it reasonably believes that the entrant has attempted to undermine the legitimate operation of the Program by cheating, deception, or other unfair playing practices or annoys, abuses, threatens or harasses any other entrants, Google, or the Judges.

  3. INTELLECTUAL PROPERTY RIGHTS: As between Google and the entrant, the entrant retains ownership of all intellectual and industrial property rights (including moral rights) in and to the Exploit. By submitting an Exploit to the Program, the entrant warrants and represents that he or she owns all of the intellectual and industrial property rights in and to the Exploit. As a condition of submission, entrant grants Google, its subsidiaries, agents and partner companies, a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work from, and publicly display the Exploit (1) for the purposes of allowing Google and the Judges to evaluate the Exploit for purposes of the Program, (2) for the purposes of evaluating the Exploit and improving Google and third party products, services, systems and networks and (3) in connection with advertising and promotion via communication to the public or other groups, including, but not limited to, the right to make screenshots, animations and Exploit clips available for promotional purposes.

  4. PRIVACY: Entrant acknowledges and agrees that Google may collect, store, share and otherwise use personally identifiable information provided during the registration process and the Program, including, but not limited to, name, mailing address, phone number, and email address. Google will use this information in accordance with its Privacy Policy (, including for administering the Program and verifying Participant’s identity, postal address and telephone number in the event an entry qualifies for a reward.

Participant’s information may also be transferred to countries outside the country of participant's residence, including the United States. Such other countries may not have privacy laws and regulations similar to those of the country of participant's residence.

If a participant does not provide the mandatory data required at registration, Google reserves the right to disqualify the entry.

Participant has the right to request access, review, rectification or deletion of any personal data held by Google in connection with the Contest by writing to Google at this email address:

  1. PUBLICITY: By accepting a reward, entrant agrees to Sponsor and its agencies use of his or her name and/or likeness and Exploit for advertising and promotional purposes without additional compensation, unless prohibited by law.

  2. WARRANTY AND INDEMNITY: Entrants warrant that their Exploits are their own original work and, as such, they are the sole and exclusive owner and rights holder of the submitted Exploit and that they have the right to submit the Exploit in the Program and grant all required licenses. Each entrant agrees not to submit any Exploit that (1) infringes any third party proprietary rights, intellectual property rights, industrial property rights, personal or moral rights or any other rights, including without limitation, copyright, trademark, patent, trade secret, privacy, publicity or confidentiality obligations; or (2) otherwise violates the applicable state, federal, provincial or local law.

To the maximum extent permitted by law, each entrant indemnifies and agrees to keep indemnified Sponsor at all times from and against any liability, claims, demands, losses, damages, costs and expenses resulting from any act, default or omission of the entrant and/or a breach of any warranty set forth herein. To the maximum extent permitted by law, each entrant agrees to defend, indemnify and hold harmless the Sponsor from and against any and all claims, actions, suits or proceedings, as well as any and all losses, liabilities, damages, costs and expenses (including reasonable attorneys fees) arising out of or accruing from (a) any Esploit or other material uploaded or otherwise provided by the entrant that infringes any copyright, trademark, trade secret, trade dress, patent or other intellectual property right of any person or defames any person or violates their rights of publicity or privacy, (b) any misrepresentation made by the entrant in connection with the Program; (c) any non-compliance by the entrant with these Rules; (d) claims brought by persons or entities other than the parties to these Rules arising from or related to the entrant’s involvement with the Program; (e) acceptance, possession, misuse or use of any prize, or participation in any Program-related activity or participation in this Program; (f) any malfunction or other problem with the Program site; (g) any error in the collection, processing, or retention of submission information; or (h) any typographical or other error in the printing, offering or announcement of any reward or reward recipients.

  1. ELIMINATION: Any false information provided within the context of the Program by any entrant concerning identity, mailing address, telephone number, email address, ownership of right or non-compliance with these Rules or the like may result in the immediate elimination of the entrant from the Program.

  2. INTERNET: Sponsor is not responsible for any malfunction of the entire Program site or any late, lost, damaged, misdirected, incomplete, illegible, undeliverable, or destroyed Exploits or entry materials due to system errors, failed, incomplete or garbled computer or other telecommunication transmission malfunctions, hardware or software failures of any kind, lost or unavailable network connections, typographical or system/human errors and failures, technical malfunction(s) of any telephone network or lines, cable connections, satellite transmissions, servers or providers, or computer equipment, traffic congestion on the Internet or at the Program site, or any combination thereof, including other telecommunication, cable, digital or satellite malfunctions which may limit a participant’s ability to participate.

  3. RIGHT TO CANCEL, MODIFY OR DISQUALIFY: If for any reason the Program is not capable of running as planned, including infection by computer virus, bugs, tampering, unauthorized intervention, fraud, technical failures, or any other causes which corrupt or affect the administration, security, fairness, integrity, or proper conduct of the Program, Google reserves the right at its sole discretion to cancel, terminate, modify or suspend the Program. Google further reserves the right to disqualify any entrant who tampers with the submission process or any other part of the Program or Program site. Any attempt by an entrant to deliberately damage any web site, including the Program site, or undermine the legitimate operation of the Program is a violation of criminal and civil laws and should such an attempt be made, Google reserves the right to seek damages from any such entrant to the fullest extent of the applicable law.

  4. NOT AN OFFER OR CONTRACT OF EMPLOYMENT: Under no circumstances shall the submission of a Exploit into the Program, the awarding of a reward, or anything in these Rules be construed as an offer or contract of employment with either Google, or any other Program entities. You acknowledge that you have submitted your Exploit voluntarily and not in confidence or in trust. You acknowledge that no confidential, fiduciary, agency or other relationship or implied-in-fact contract now exists between you and Google or any other Program entities and that no such relationship is established by your submission of an Exploit under these Rules.

  5. FORUM AND RECOURSE TO JUDICIAL PROCEDURES: These Rules shall be governed by, subject to, and construed in accordance with the laws of the State of California, United States of America, excluding all conflict of law rules. If any provision(s) of these Rules are held to be invalid or unenforceable, all remaining provisions hereof will remain in full force and effect. To the extent permitted by law, the rights to litigate, seek injunctive relief or make any other recourse to judicial or any other procedure in case of disputes or claims resulting from or in connection with this Program are hereby excluded, and all participants expressly waive any and all such rights.

  6. ARBITRATION: By entering the Program, you agree that exclusive jurisdiction for any dispute, claim, or demand related in any way to the Program will be decided by binding arbitration. All disputes between you and Google of whatsoever kind or nature arising out of these Rules, shall be submitted to Judicial Arbitration and Mediation Services, Inc. (“JAMS”) for binding arbitration under its rules then in effect in the San Jose, California, USA area, before one arbitrator to be mutually agreed upon by both parties. The parties agree to share equally in the arbitration costs incurred.

  7. REWARD RECIPIENT’S LIST: Reward recipients will be posted on the Program site for six months following the conclusion of the Program.