the Chromium logo

The Chromium Projects

Pwnium 2

Chromium Security Reward Program

Pwnium2@HITBSecConf2012 Official Rules

The Pwnium2@HITBSecConf2012 Chromium Security Reward Program ("Program") is designed to encourage involvement in improving the security of the Chromium project. Participants submit original and unreported exploits relying on security bugs in Chrome alone, or Chrome coupled with Flash / Windows / other software like drivers (an “Exploit”). Rewards will be awarded to participants who submit full and reliable Exploits (or Incomplete Exploits as described below) with critical impact as determined in the sole discretion of the Judges. NO PURCHASE NECESSARY TO ENTER OR WIN. VOID WHERE PROHIBITED. SPONSOR: The Program is sponsored by Google Inc. (“Google” or "Sponsor"), a Delaware corporation with principal place of business at 1600 Amphitheatre Parkway, Mountain View, CA, 94043, USA. BINDING AGREEMENT: In order to enter the Program, you must agree to these Official Rules (“Rules”). Therefore, please read these Rules prior to entry and submission to ensure you understand and agree. You agree that submission of an Exploit in the Program constitutes agreement to these Rules. You may not submit an Exploit to the Program and are not eligible to receive the rewards described in these Rules unless you agree to these Rules. These Rules form a binding legal agreement between you and Google with respect to the Program. ELIGIBILITY: To be eligible to enter the Program, you must be above the age of majority in the country, state, province or jurisdiction of residence (or at least twenty years old in Taiwan) at the time of submission (“You” or “Entrant”). The Program is void in, and not open to residents of, Cuba, Iran, Syria, North Korea or Sudan or to individuals and entities restricted by U.S. export controls and sanctions, and is void in any other nation, state, or province where prohibited or restricted by U.S. or local law. Employees, interns, contractors, and official office-holders of Google and their subsidiaries, affiliates, and their respective directors, officers, employees, advertising and promotion agencies, representatives, and agents (“Program Entities”), and members of the Program Entities’ and their immediate families (parents, siblings, children, spouses, and life partners of each, regardless of where they live) and members of the households (whether related or not) of such employees, officers and directors are ineligible to participate in the Program. Google reserves the right to verify eligibility and to adjudicate on any dispute at any time. If you are entering as part of a company or on behalf of your employer, these rules are binding on you, individually, and/or your employer. If you are acting within the scope of your employment, as an employee, contractor, or agent of another party, you warrant that such party has full knowledge of your actions and has consented thereto, including your potential receipt of a reward. You further warrant that your actions do not violate your employer’s or company’s policies and procedures. PROGRAM PERIOD: The Program begins at 10:00 A.M. local time (in Kuala Lumpur, Malaysia) at the HITBSecConf2012 on October 10, 2012 and ends at 2:00 P.M. local time on October 10, 2012 (“Program Period”). Google may extend the Program Period in its sole discretion. ENTRANTS ARE RESPONSIBLE FOR DETERMINING THE CORRESPONDING TIME ZONE IN THEIR RESPECTIVE JURISDICTIONS. HOW TO ENTER: NO PURCHASE NECESSARY TO ENTER OR WIN. To enter the Program, visit the Google desk at HITBSecConf2012 in Kuala Lumpur, Malaysia during the Program Period. Entrants are entirely responsible for all costs and fees associated with attending the HITBSecConf2012, including (but not limited to) admission fees, transportation, accommodation and living costs. For additional information visit the Program website located at https://www.chromium.org/Home/chromium-security/pwnium-2 before or during the Program Period and follow the instructions for submitting an Exploit that highlights a critical importance security issue, which has not yet been reported to, or otherwise come to attention of, the Chromium project. The Exploit must meet the “Exploit Requirements,” described below. All entries must be received before the end of the Program Period. Entries are void if they are in whole or part illegible, incomplete, damaged, altered, counterfeit, obtained through fraud, or late. All entries will be deemed made by the authorized account holder of the email address submitted at the time of submission, and potential reward recipients may be required to show proof of being the authorized account holder for that email address. The "authorized account holder" is the natural person assigned to an email address by an Internet service provider, online service provider, or other organization responsible for assigning email address for the domain. EXPLOIT REQUIREMENTS: The Exploit must meet the following criteria: • Be an unreported and original exploit, which has not been shared or partially shared with anyone else or submitted in any other contests until it has been submitted to, and judged by, Google. • Be an exploit relying on an unreported and original bug, bugs or security feature in Chrome or in Chrome when used in connection with Windows, Flash or other software e.g. drivers. • Be a remote exploit accessible through the Chrome browser, which works and is reliable. • Be present in the most recent supported channel(s) of Chrome, running on the latest version of Windows7 on the provided test machine. • Be a critical vulnerability of high impact. • Be authored or created by You. • Be submitted with corresponding documentation that details each bug exploited. During the Program Period, Google and/or its agents will be evaluating each Exploit to ensure that it meets the Exploit Requirements. Google reserves the right, in its sole discretion, to disqualify any entrant who submits an Exploit that does not meet the Exploit Requirements. JUDGING: Each Exploit submission will be judged by a panel of experts who are employees of Google (“Judges”). Each Exploit will be evaluated by the Judges as to whether the Exploit is a critical importance vulnerability of high impact based on the potential for persistent access to the user’s account on the Windows operating system. Judges will evaluate each Exploit based upon the above criteria to determine whether it is critical impact and qualifies for a reward. Rewards will be allocated on a first-come-first-served basis, based on time of submission during the Program Period specified above, until such time as the total reward pool of $2,000,000 USD (two million U.S. dollars) is exhausted. In the event a potential reward recipient is disqualified for any reason, the reward allocated to that recipient will be returned to the total reward pool. The potential reward recipients will be selected and notified by telephone and/or email, at Sponsor’s discretion. If a potential reward recipient does not respond to the notification attempt within five days from the first notification attempt, then such potential recipient may be disqualified and their allocated reward will be returned to the total reward pool. With respect to notification by telephone, such notification will be deemed given when the potential reward recipient engages in a live conversation with Sponsor or when a message is left on the potential reward recipient’s voicemail service or answering machine by the Sponsor, whichever occurs first. Except where prohibited by law, each potential reward recipient may be required to sign and return a Declaration of Eligibility and Liability and Publicity Release and provide any additional information that may be required by Sponsor. If required, potential reward recipients must return all such required documents within seven days following attempted notification or such potential reward recipient may be deemed to have forfeited the reward and the reward may be returned to the total reward pool. In the event the potential reward recipient is a minor, his or her parent or legal guardian must sign the documents and return them as described herein. All notification requirements, as well as other requirements within these Rules, will be strictly enforced. In the event that no Exploits are received, no rewards will be awarded. Determinations of judges are final and binding. REWARDS: An Entrant submitting an Exploit demonstrating a critical importance high impact Chrome / Win7 local OS user account persistence using only bugs in Chrome itself (a “Full Chrome Exploit”), as determined in the sole discretion of the Judges, will receive a reward of $60,000 USD (sixty thousand U.S. dollars). An Entrant submitting an Exploit demonstrating a critical importance high impact Chrome / Win7 local OS user account persistence using at least one bug in Chrome plus bugs in other software (e.g. a WebKit bug combined with a Windows kernel bug) (a “Partial Chrome Exploit”), as determined in the sole discretion of the Judges, will receive a reward of $50,000 USD (fifty thousand U.S. dollars). An Entrant submitting an Exploit demonstrating a critical importance high impact Chrome / Win7 local OS user account persistence using only bugs not found in Chrome (e.g. bugs in Flash / Windows / drivers) (a “Non Chrome Exploit”), as determined in the sole discretion of the Judges, will receive a reward of $40,000 USD (forty thousand U.S. dollars). An Entrant submitting an unreliable or incomplete Exploit demonstrating a critical importance high impact Chrome / Win7 local OS user account persistence (e.g. code execution inside a sandbox but not sandbox escape; or sandbox escape in isolation) (a “Incomplete Exploit”), as determined in the sole discretion of the Judges, may receive a reward in an amount to be determined by the judges. Each reward recipient will also receive a ChromeOS netbook, provided they reside in a country to which ChromeOS netbooks can be legally shipped. All rewards are contingent on Entrant's compliance with these Rules. The rewards will be awarded within approximately two weeks of receipt by Sponsor of final reward acceptance documents. No transfer, substitution or cash equivalent for rewards is allowed, except at Sponsor’s sole discretion. Sponsor reserves the right to substitute a reward, in whole or in part, of equal or greater monetary value if a reward cannot be awarded, in whole or in part, as described for any reason. Value is subject to market conditions, which can fluctuate and any difference between actual market value and ARV will not be awarded. The reward(s) may be subject to restrictions and/or licenses and may require additional hardware, software, service, or maintenance to use. The reward recipient shall bear all responsibility for use of the rewards(s) in compliance with any conditions imposed by such manufacturer(s), and any additional costs associated with its use, service, or maintenance. Program Entities have not made and Program Entities are not responsible in any manner for any warranties, representations, or guarantees, express or implied, in fact or law, relating to the reward(s), regarding the use, value or enjoyment of the reward(s), including, without limitation, its quality, mechanical condition, merchantability, or fitness for a particular purpose, with the exception of any standard manufacturer's warranty that may apply to the reward or any components thereto. TAXES: PAYMENTS TO POTENTIAL REWARD RECIPIENTS ARE SUBJECT TO THE EXPRESS REQUIREMENT THAT THEY SUBMIT TO GOOGLE ALL DOCUMENTATION REQUESTED BY GOOGLE TO PERMIT IT TO COMPLY WITH ALL APPLICABLE STATE, FEDERAL, LOCAL, PROVINCIAL AND FOREIGN TAX REPORTING AND WITHHOLDING REQUIREMENTS. ALL REWARDS WILL BE NET OF ANY TAXES GOOGLE IS REQUIRED BY LAW TO WITHHOLD. ALL TAXES IMPOSED ON REWARDS ARE THE SOLE RESPONSIBILITY OF THE REWARD RECIPIENTS. In order to receive a reward, potential reward recipients must submit the tax documentation requested by Google or otherwise required by applicable law, to Google or the relevant tax authority, all as determined by applicable law, including, where relevant, the law of the potential recipient’s country of residence. The potential reward recipients are responsible for ensuring that (s)he complies with all the applicable tax laws and filing requirements. If a potential reward recipient fails to provide such documentation or comply with such laws, the reward may be forfeited and Google may, in its sole discretion, return the reward to the total reward pool. GENERAL CONDITIONS: All federal, state, provincial and local laws and regulations apply. Google reserves the right to disqualify any entrant from the Program if, in Google’s sole discretion, it reasonably believes that the entrant has attempted to undermine the legitimate operation of the Program by cheating, deception, or other unfair playing practices or annoys, abuses, threatens or harasses any other entrants, Google, or the Judges. INTELLECTUAL PROPERTY RIGHTS: As between Google and the entrant, the entrant retains ownership of all intellectual and industrial property rights (including moral rights) in and to the Exploit. As a condition of submission, entrant grants Google, its subsidiaries, agents and partner companies, a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work from, and publicly display the Exploit (1) for the purposes of allowing Google and the Judges to evaluate the Exploit for purposes of the Program, (2) for the purposes of evaluating the Exploit and improving Google and third party products, services, systems and networks and (3) in connection with advertising and promotion via communication to the public or other groups, including, but not limited to, the right to make screenshots, animations and Exploit clips available for promotional purposes. PRIVACY: Participants agree that personal data entered during the registration, including name, mailing address, phone number, and email address may be processed, stored, shared and otherwise used for the purposes and within the context of the Program. This data will also be stored in / transferred into the United States. By entering, entrants agree to the transmission, processing, sharing and storage of this personal data in the United States. Participants also understand this data may be used by Sponsor in order to verify an Entrant’s identity, postal address and telephone number in the event a submission qualifies for a reward. Participants have the right to access, review, rectify or cancel any personal data held by Google in connection with the Program by writing to Google at the address listed above. If a participant does not provide the data require at registration, that participant’s submission will be ineligible. Otherwise, all personal information that is collected from the entrant is subject to Google’s Privacy Policy, located at http://www.google.com/privacy.html. By accepting a reward, participant agrees and consents to Google and its agencies use of entrant’s name and/or likeness to name the entrant for a reasonable time after completion of the Program in promotional and advertising material of Google (or its agents) as a recipient of a reward of the Program without additional compensation, unless prohibited by law. For residents of the EU: pursuant to EU law pertaining to data collection and processing, you are informed that: - the data controller is Google and the data recipients are Google and its agents; - your data is collected for purposes of administration of the Program and for marketing purposes; - you have a right of access to and withdrawal of your personal data. You also have a right of opposition to the data collection, under certain circumstances. To exercise such right, you may write to security@chromium.org. PUBLICITY: By accepting a reward, Entrant agrees to Sponsor and its agencies use of his or her name and/or likeness and Exploit for advertising and promotional purposes without additional compensation, unless prohibited by law. WARRANTY AND INDEMNITY: Participants warrant that their Exploits are their own original work and, as such, they are the sole and exclusive owner and rights holder of the submitted Exploit and that they have the right to submit the Exploit in the Program and grant all required licenses. Each entrant agrees not to submit any Exploit that (1) infringes any third party proprietary rights, intellectual property rights, industrial property rights, personal or moral rights or any other rights, including without limitation, copyright, trademark, patent, trade secret, privacy, publicity or confidentiality obligations; or (2) otherwise violates the applicable state, federal, provincial or local law. To the maximum extent permitted by law, each Entrant indemnifies and agrees to keep indemnified Sponsor at all times from and against any liability, claims, demands, losses, damages, costs and expenses resulting from any act, default or omission of the Entrant and/or a breach of any warranty set forth herein. To the maximum extent permitted by law, each Entrant agrees to defend, indemnify and hold harmless the Sponsor from and against any and all claims, actions, suits or proceedings, as well as any and all losses, liabilities, damages, costs and expenses (including reasonable attorneys fees) arising out of or accruing from (a) any or other material uploaded or otherwise provided by the entrant that infringes any copyright, trademark, trade secret, trade dress, patent or other intellectual property right of any person or defames any person or violates their rights of publicity or privacy, (b) any misrepresentation made by the entrant in connection with the Program; (c) any non-compliance by the entrant with these Rules; (d) claims brought by persons or entities other than the parties to these Rules arising from or related to the Entrant’s involvement with the Program; (e) acceptance, possession, misuse or use of any reward or participation in any Program-related activity or participation in this Program; (f) any malfunction or other problem with the Program site; (g) any error in the collection, processing, or retention of submission information; or (h) any typographical or other error in the printing, offering or announcement of any reward or reward recipients. ELIMINATION: Any false information provided within the context of the Program by any Entrant concerning identity, mailing address, telephone number, email address, ownership of right or non-compliance with these Rules or the like may result in the immediate elimination of the entrant from the Program. NETWORK: Sponsor is not responsible for any malfunction of the entire Program site or any late, lost, damaged, misdirected, incomplete, illegible, undeliverable, or destroyed Exploits due to system errors, failed, incomplete or garbled computer or other telecommunication transmission malfunctions, hardware or software failures of any kind, lost or unavailable network connections, typographical or system/human errors and failures, technical malfunction(s) of any telephone network or lines, cable connections, satellite transmissions, servers or providers, or computer equipment, traffic congestion on the Internet or at the Program site, or any combination thereof, including other telecommunication, cable, digital or satellite malfunctions which may limit an entrant’s ability to participate. RIGHT TO CANCEL, MODIFY OR DISQUALIFY: If for any reason the Program is not capable of running as planned, including infection by computer virus, bugs, tampering, unauthorized intervention, fraud, technical failures, or any other causes which corrupt or affect the administration, security, fairness, integrity, or proper conduct of the Program, Google reserves the right at its sole discretion to cancel, terminate, modify or suspend the Program. Google further reserves the right to disqualify any entrant who tampers with the submission process or any other part of the Program or Program site. Any attempt by an entrant to deliberately damage any web site, including the Program site, or undermine the legitimate operation of the Program is a violation of criminal and civil laws and should such an attempt be made, Google reserves the right to seek damages from any such entrant to the fullest extent of the applicable law. NOT AN OFFER OR CONTRACT OF EMPLOYMENT: Under no circumstances shall the submission of a Exploit into the Program, the awarding of a reward, or anything in these Rules be construed as an offer or contract of employment with either Google, or any other Program entities. You acknowledge that you have submitted your Exploit voluntarily and not in confidence or in trust. You acknowledge that no confidential, fiduciary, agency or other relationship or implied-in-fact contract now exists between you and Google or any other Program entities and that no such relationship is established by your submission of an Exploit under these Rules. FORUM AND RECOURSE TO JUDICIAL PROCEDURES: These Rules shall be governed by, subject to, and construed in accordance with the laws of the State of California, United States of America, excluding all conflict of law rules. If any provision(s) of these Rules are held to be invalid or unenforceable, all remaining provisions hereof will remain in full force and effect. To the extent permitted by law, the rights to litigate, seek injunctive relief or make any other recourse to judicial or any other procedure in case of disputes or claims resulting from or in connection with this Program are hereby excluded, and all Participants expressly waive any and all such rights. ARBITRATION: By entering the Program, you agree that exclusive jurisdiction for any dispute, claim, or demand related in any way to the Program will be decided by binding arbitration. All disputes between you and Google of whatsoever kind or nature arising out of these Rules, shall be submitted to Judicial Arbitration and Mediation Services, Inc. (“JAMS”) for binding arbitration under its rules then in effect in the San Jose, California, USA area, before one arbitrator to be mutually agreed upon by both parties. The parties agree to share equally in the arbitration costs incurred. REWARD RECIPIENT’S LIST: Reward recipients will be posted on the Program site for three months following the conclusion of the Program.