Google has officially withdrawn its sponsorship from the 2012 Pwn2Own security challenge. According to Google, they pulled out after they discovered that exploits demonstrated at the event did not have to be disclosed to the affected vendors.
HP’s TippingPoint which runs the annual event, disagrees.
“Affected vendors always receive full details for vulnerabilities discovered during the Pwn2Own contest – this is a key benefit for the vendor community,” Aaron Portnoy, Manager of the Security Research Team at HP TippingPoint, told InternetNews.com. “HP DVLabs analyzes each vulnerability it receives to determine the root problem, severity of the vulnerability, and its susceptibility to attack to help vendors assess the risks and deal with mitigating them.”
DVLabs is the research division of HP TippingPoint and also runs the Zero Day Initiative (ZDI), which pays researchers throughout the year for disclosing security vulnerabilities. Portnoy explained that the vendors that ZDI works with, rely on the top-notch vulnerability assessment that ZDI provides. He stressed that HP provides the additional security assessment information at no charge to vendors. The whole program enables vendors to increase the speed at which they are able to fix the problem.
Google had initially committed $20,000 in additional rewards to Pwn2Own 2012 contest for participants that find flaws in the Chrome web browser. Google had a similar offer in 2011 that was left unclaimed at the end of the event as no researcher was able to exploit Chrome.
Google’s official withdrawal as a participant in the Pwn2Own event won’t affect the content all that much, according to Portnoy. He noted that the Pwn2Own contest remains focused on demonstrating vulnerabilities that matter to the enterprise, including the most commonly used operating systems and browsers.