If you can hack a Chromebook remotely, you might get a fat check from Google. The Chrome security team has doubled its top "bug bounty" to $100,000, payable to the first person who compromises a Chromebook or Chromebox machine through the Web.
The catch is that the compromise has to work on Chrome OS's limited Guest mode and survive a system reboot — or, in hacker terms, achieve persistence.
Until yesterday (March 14), Google offered only $50,000 for the top prize in its Chrome Reward Program. In a post on the Google Security Blog, two Chrome development staffers said no one had submitted a working entry.
Guest mode on Chrome OS disables most browser extensions and apps, and, like Incognito mode, prevents the retention of browsing histories and cookies. Unlike the regular user, who signs in with a Google account, a guest user has very little leeway to alter anything about the machine.
If a hacker managed to compromise guest mode on a Chromebook with persistence, it would be a severe failure of Chrome OS security — which is why the Chrome developers want to see if it can be done.
"Great research deserves great awards," the developers wrote in their blog post. "We’re putting up a standing six-figure sum, available all year round with no quotas and no maximum reward pool."
Other bug bounties applicable to both Chrome OS and the Chrome browser range from zero to $15,000.
Bounty programs like Google's are arguably in the public interest. (Other tech companies, such as Facebook, offer similar prizes.) Paying researchers and would-be hackers to discreetly disclose information about software flaws and possible exploits directly to developers is a win-win scenario. The hacker gets a chance at a big payoff, and the company gets a chance to fix its software.
The alternatives would be unfettered public disclosure of unpatched flaws, which benefits no one, or back-channel exploit sales to online criminals or nation-state intelligence agencies, which keeps a company in the dark and its clients vulnerable to attack.