HP rejects Google's claims that Pwn2Own does not provide exploit information to affected vendors.
Google has officially withdrawn its sponsorship from the 2012 Pwn2Own security challenge. According to Google, they pulled out after they discovered that exploits demonstrated at the event did not have to be disclosed to the affected vendors.
HP's TippingPoint which runs the annual event, disagrees.
"Affected vendors always receive full details for vulnerabilities discovered during the Pwn2Own contest – this is a key benefit for the vendor community," Aaron Portnoy, Manager of the Security Research Team at HP TippingPoint, told InternetNews.com. "HP DVLabs analyzes each vulnerability it receives to determine the root problem, severity of the vulnerability, and its susceptibility to attack to help vendors assess the risks and deal with mitigating them."
DVLabs is the research division of HP TippingPoint and also runs the Zero Day Initiative (ZDI), which pays researchers throughout the year for disclosing security vulnerabilities. Portnoy explained that the vendors that ZDI works with, rely on the top-notch vulnerability assessment that ZDI provides. He stressed that HP provides the additional security assessment information at no charge to vendors. The whole program enables vendors to increase the speed at which they are able to fix the problem.
Google had initially committed $20,000 in additional rewards to Pwn2Own 2012 contest for participants that find flaws in the Chrome web browser. Google had a similar offer in 2011 that was left unclaimed at the end of the event as no researcher was able to exploit Chrome.
Google's official withdrawal as a participant in the Pwn2Own event won't affect the content all that much, according to Portnoy. He noted that the Pwn2Own contest remains focused on demonstrating vulnerabilities that matter to the enterprise, including the most commonly used operating systems and browsers.
"Contestants will have access to a total purse of $105,000 this year, spread over three prizes for vulnerabilities across all major browsers: Firefox, Internet Explorer, Safari, and Chrome," Portnoy said. "Google's withdrawal only removes the additional $20,000 they had offered up for vulnerabilities in its Chrome browser."
While Google is officially pulling out of Pwn2Own and taking $20,000 out of that pot, they are putting as much as $1 million into awards of their own called Pwnium. The Pwnium awards pay $60,000 for a full Chrome exploit, $40,000 for a partial exploit, and $20,000 for flaws that are related to Chrome, but not directly in the browser code (ie. Flash, Windows).
While Google has opted to go it alone to run its own security contest, HP doesn't necessarily see Google's move as undermining the Pwn2Own 2012 event. In Portnoy's view, very few vendors have the expertise, time, or capital to manage security analysis of the type that HP TippingPoint does at Pwn2Own and as part of ZDI.
"Vulnerabilities are increasing in complexity and until vendors significantly invest in creating a thriving security research team within their own organization, they will rely on contests like Pwn2Own that can cut through the clutter and identify vulnerabilities based on risk," Portnoy said.