Google to Pay $100,000 if You can Hack a Chromebook Remotely

Google has doubled its reward for hackers who can breach Chromebooks in a locked-down state known as Guest Mode

Google paid out more than $2m to researchers for reporting security bugs last year, but still no one has been able to successfully hack a Chromebook. Google has put up a $100,000 reward for anyone who can find a way to hack its Chromebook over the web.

The move doubles last year's top reward of $50,000, available exclusively for attacks that achieve a persistent compromise on a Chromebook in 'guest mode', meaning the attacker's code sticks around on the device even after a reboot and affects subsequent guest-mode sessions.

In the context of a Chromebook, guest mode is a locked-down state designed to support device sharing, which protects the owner's Chrome profile from tampering, and is meant to ensure browser data and cookies vanish at the end of a session.

But as Google outlined on Monday, in the year since it dangled the $50,000 Chromebook reward under its Chrome Reward Program, it hasn't received a single successful submission. According to Google's rewards page: "We have a standing $100,000 reward for participants who can compromise a Chromebook or Chromebox with device persistence in guest mode, i.e., guest-to-guest persistence with interim reboot, delivered via a web page."

Google has previously offered more for the same attacks on Chromebooks at the Pwnium hacking contest but that was a one-day prize under competition rules rather than a year-round offer. With attacks on Chromebooks accounting for none of the more than $2m Google paid out to researchers for reporting security bugs last year, the new top reward is designed to encourage more activity in this area.

Google has also broadened its bounty program to include attacks on its Safe Browsing technology, which protects Chrome users from known malicious URLs on the web and potentially unwanted applications. The new bounty, Download Protection Bypass, offers up to $1,000 for reports that bypass the feature, which is meant to flag when a user attempts to download a malicious file and provide an option to keep or discard the file.

Google is more likely to reward those who can sneak a binary into a location such as the Downloads folder where a user is more likely to execute it.