Pwnium4@CanSecWest2014
Chromium Security Reward Program
Official Rules
NO
PURCHASE NECESSARY TO ENTER OR WIN. VOID WHERE PROHIBITED. CONTEST IS
OPEN TO RESIDENTS OF THE 50 UNITED STATES, THE DISTRICT OF COLUMBIA AND
WORLDWIDE, EXCEPT FOR RESIDENTS OF ITALY, BRAZIL, QUEBEC, CUBA, IRAN,
SYRIA, NORTH KOREA, and SUDAN.
ENTRY IN THIS CONTEST CONSTITUTES YOUR ACCEPTANCE OF THESE OFFICIAL RULES.
The
Pwnium4@CanSecWest2014 Chromium Security Reward Program ("Program") is a
skill contest designed to encourage involvement in improving the
security of the Chromium project. Entrants submit original and
unreported exploits relying on security bugs in Chrome OS including
Chrome coupled with Flash / Chrome OS kernel and firmware / default apps
on Chrome OS (an “Exploit”). The Exploits entrants develop will be
evaluated by judges, who will award rewards to entrants who submit full
and reliable Exploits (or Incomplete Exploits, as described below) with
critical impact as determined in the sole discretion of the Judges.
1. BINDING AGREEMENT:
In order to enter the Program, you must agree to these Official Rules
(“Rules”). Therefore, please read these Rules prior to entry to ensure
you understand and agree. You agree that submission of an Exploit in the
Program constitutes agreement to these Rules. You may not submit an
Exploit to the Program and are not eligible to receive the rewards
described in these Rules unless you agree to these Rules. These Rules
form a binding legal agreement between you and Google with respect to
the Program.
2. ELIGIBILITY:
To be eligible to enter the Program, you must be: (1) above the age of
majority in the country, state, province or jurisdiction of residence
(or at least twenty years old in Taiwan) at the time of entry; (2) not a resident of Italy, Brazil, Quebec, Cuba, Iran, Syria, North Korea, or Sudan;
(3) not a person or entity under U.S. export controls or sanctions; and
(4) have access to the Internet as of January 23rd, 2014. Contest is void in Italy, Brazil, Quebec, Cuba, Iran, Syria, North Korea, Sudan), and where prohibited by law.
Employees,
interns, contractors, and official office-holders of Google, and their
parent companies, subsidiaries, affiliates, and their respective
directors, officers, employees, advertising and promotion agencies,
representatives, and agents (“Program Entities”), and members of the
Program Entities’ and their immediate families (parents, siblings,
children, spouses, and life partners of each, regardless of where they
live) and members of the households (whether related or not) of such
employees, officers and directors are ineligible to participate in the
Program. Google reserves the right to verify eligibility and to
adjudicate on any dispute at any time.
If
you are entering as part of a company or on behalf of your employer,
these rules are binding on you, individually, and/or your employer. If
you are acting within the scope of your employment, as an employee,
contractor, or agent of another party, you warrant that such party has
full knowledge of your actions and has consented thereto, including your
potential receipt of a reward. You further warrant that your actions do
not violate your employer’s or company’s policies and procedures.
3. SPONSOR:
The Program is sponsored by Google Inc. (“Google” or "Sponsor"), a
Delaware corporation with principal place of business at 1600
Amphitheatre Parkway, Mountain View, CA, 94043, USA.
4.
PROGRAM PERIOD: The Program begins at 10:00:00 A.M. Pacific Time (PT)
Zone (in Vancouver, Canada) at CanSecWest 2014 on March 12th, 2014 and
ends at 12:00:00 P.M. PT on March 12th, 2014 (“Program Period”). Google
may extend the Program Period in its sole discretion. ENTRANTS ARE
RESPONSIBLE FOR DETERMINING THE CORRESPONDING TIME ZONE IN THEIR
RESPECTIVE JURISDICTIONS.
5.
HOW TO ENTER: NO PURCHASE NECESSARY TO ENTER OR WIN. To enter the
Program, register before 5:00:00 P.M. PST (Pacific Standard Time) on
Monday, March 10th, 2014 by sending an email with your name to pwnium4@chromium.org,
and then visit the Google desk at CanSecWest 2014 in Vancouver, Canada
during the Program Period. Entrants will be assigned a specific timeslot
on March 12th, 2014 during which they may demonstrate Exploits to the
Judges. Exploits must be demonstrated during entrant’s assigned time to
be eligible for a reward, and must meet the “Exploit Requirements,”
described below.
Entrants
are entirely responsible for all costs and fees associated with
entrant’s participation in the Program and attending the CanSecWest
2014, including (but not limited to) admission fees, transportation,
accommodation and living costs. All entries must be received before the
end of the Program Period. Entries are void if they are in whole or part
illegible, incomplete, damaged, altered, counterfeit, obtained through
fraud, or late. All entries will be deemed made by the authorized
account holder of the email address submitted at the time of submission,
and potential reward recipients may be required to show proof of being
the authorized account holder for that email address. The "authorized
account holder" is the natural person assigned to an email address by an
Internet service provider, online service provider, or other
organization responsible for assigning email address for the domain.
EXPLOIT REQUIREMENTS: The Exploit must meet the following criteria:
•
Be an unreported and original exploit, which has not been shared or
partially shared with anyone else or submitted in any other contests.
•
Be an exploit relying on an unreported and original bug, bugs or
security feature in Chrome OS, Flash or other software e.g. drivers.
•
Be an attack that’s demonstrated against a base (WiFi) model of the
ARM-based HP Chromebook 11, running the latest stable version of Chrome
OS; or a 2GB WiFi model of the Acer C720 Intel Chromebook, running the
latest stable version of Chrome OS.
• Be a remote exploit accessible through the Chrome browser, which works and is reliable.
• Be served from a password-authenticated and HTTPS-supported Google property, such as Google App Engine.
• Be present in the most recent supported channel(s) of Chrome OS.
• Be a critical vulnerability of high impact.
• Be authored or created by You.
• Be submitted with corresponding documentation that details each bug exploited.
During
the Program Period, Google, its agents, and/or the Judges (defined
below) will be evaluating each Exploit to ensure that it meets the
Exploit Requirements. Google reserves the right, in its sole discretion,
to disqualify any entrant who submits an Exploit that does not meet the
Exploit Requirements.
6.
JUDGING: Each Exploit submission will be judged by a panel of experts
who are employees of Google (“Judges”). Each Exploit will be evaluated
by the Judges as to whether the Exploit is a critical importance
vulnerability of high impact, based on the potential for persistent
access to the user’s account or guest mode on the Chrome operating
system.
Judges
will evaluate each Exploit based upon the above criteria to determine
whether it is critical impact and qualifies for a reward.
If
a potential reward recipient is disqualified for any reason, the reward
allocated to that recipient will be returned to the total reward pool.
On or about March 17th, 2014, the potential reward recipients will be
selected and notified by telephone and/or email, at Sponsor’s
discretion. If a potential reward recipient does not respond to the
notification attempt within five days from the first notification
attempt, then such potential reward recipient may be disqualified and
the allocated reward will be returned to the total reward pool. With
respect to notification by telephone, such notification will be deemed
given when the potential reward recipient engages in a live conversation
with Sponsor or when a message is left on the potential reward
recipient’s voicemail service or answering machine by the Sponsor,
whichever occurs first. Except where prohibited by law, each potential
reward recipient may be required to sign and return a Declaration of
Eligibility and Liability and Publicity Release and provide any
additional information that may be required by Sponsor. If required,
potential reward recipients must return all such required documents
within seven days following attempted notification or such potential
reward recipient may be deemed to have forfeited the reward and the
reward may be returned to the total reward pool. All notification
requirements, as well as other requirements within these Rules, will be
strictly enforced. In the event no Exploits are received, no rewards
will be awarded. Determinations of judges are final and binding.
7.
REWARDS: Rewards for eligible Exploits will be allocated to eligible
entrants on a first-come-first-served basis, based on time of submission
during the Program Period specified above, until such time as the total
reward pool of $2.71828 million USD is exhausted:
An
entrant submitting an Exploit demonstrating a Chrome OS system-level
compromise delivered via a web page and triggerable when browsing in
Guest mode and affecting all subsequent Guest mode sessions across
reboots (“persistent Guest-to-Guest exploit”) using bugs in Chrome OS,
as determined in the sole discretion of the Judges, will receive a
reward of $150,000 USD (one hundred and fifty thousand U.S. dollars).
An
entrant submitting an Exploit demonstrating a Chrome browser-level
compromise delivered via a web page using bugs in Chrome OS as
determined in the sole discretion of the Judges, will receive a reward
of $110,000 USD (one hundred and ten thousand U.S. dollars).
Google
reserves the right to issue partial rewards, in its sole discretion,
for partial, incomplete or unreliable Exploits. Google may also consider
issuing significant bonuses for any Entrant who demonstrates a
particularly impressive or surprising exploit.
Each
reward recipient will also receive a Chromebook, provided such reward
recipient resides in a country where Chromebooks are legally available.
Odds
of winning any reward depends on the number of eligible entries
received during the Program Period and the skill of the entrants. The
rewards will be awarded within approximately two weeks of receipt by
Sponsor of final reward acceptance documents. No transfer, substitution
or cash equivalent for rewards is allowed, except at Sponsor’s sole
discretion. Sponsor reserves the right to substitute a reward, in whole
or in part, of equal or greater monetary value if a reward cannot be
awarded, in whole or in part, as described for any reason. Value is
subject to market conditions, which can fluctuate and any difference
between actual market value and ARV will not be awarded. The reward(s)
may be subject to restrictions and/or licenses and may require
additional hardware, software, service, or maintenance to use. The
reward recipient shall bear all responsibility for use of the rewards(s)
in compliance with any conditions imposed by such manufacturer(s), and
any additional costs associated with its use, service, or maintenance.
Program Entities have not made and Program Entities are not responsible
in any manner for any warranties, representations, or guarantees,
express or implied, in fact or law, relating to the reward(s), regarding
the use, value or enjoyment of the reward(s), including, without
limitation, its quality, mechanical condition, merchantability, or
fitness for a particular purpose, with the exception of any standard
manufacturer's warranty that may apply to the reward or any components
thereto.
9.
TAXES: PAYMENTS TO POTENTIAL REWARD RECIPIENTS ARE SUBJECT TO THE
EXPRESS REQUIREMENT THAT THEY SUBMIT TO GOOGLE ALL DOCUMENTATION
REQUESTED BY GOOGLE TO PERMIT IT TO COMPLY WITH ALL APPLICABLE STATE,
FEDERAL, LOCAL, AND FOREIGN (INCLUDING PROVINCIAL) TAX REPORTING AND
WITHHOLDING REQUIREMENTS. ALL REWARDS WILL BE NET OF ANY TAXES GOOGLE IS
REQUIRED BY LAW TO WITHHOLD. ALL TAXES IMPOSED ON REWARDS ARE THE SOLE
RESPONSIBILITY OF THE REWARD RECIPIENTS. In order to receive a reward,
potential reward recipients must submit the tax documentation requested
by Google or otherwise required by applicable law, to Google or the
relevant tax authority, all as determined by applicable law, including,
where relevant, the law of the potential recipient’s country of
residence. The potential reward recipients are responsible for ensuring
that (s)he complies with all the applicable tax laws and filing
requirements. If a potential reward recipient fails to provide such
documentation or comply with such laws, the reward may be forfeited and
Google may, in its sole discretion, return the reward to the total
reward pool.
10.
GENERAL CONDITIONS: All federal, state, provincial and local laws and
regulations apply. Google reserves the right to disqualify any entrant
from the Program if, in Google’s sole discretion, it reasonably believes
that the entrant has attempted to undermine the legitimate operation of
the Program by cheating, deception, or other unfair playing practices
or annoys, abuses, threatens or harasses any other entrants, Google, or
the Judges.
11.
INTELLECTUAL PROPERTY RIGHTS: As between Google and the entrant, the
entrant retains ownership of all intellectual and industrial property
rights (including moral rights) in and to the Exploit. By submitting an
Exploit to the Program, the entrant warrants and represents that he or
she owns all of the intellectual and industrial property rights in and
to the Exploit. As a condition of submission, entrant grants Google, its
subsidiaries, agents and partner companies, a perpetual, irrevocable,
worldwide, royalty-free, and non-exclusive license to use, reproduce,
adapt, modify, publish, distribute, publicly perform, create a
derivative work from, and publicly display the Exploit (1) for the
purposes of allowing Google and the Judges to evaluate the Exploit for
purposes of the Program, (2) for the purposes of evaluating the Exploit
and improving Google and third party products, services, systems and
networks and (3) in connection with advertising and promotion via
communication to the public or other groups, including, but not limited
to, the right to make screenshots, animations and Exploit clips
available for promotional purposes.
12. PRIVACY: Entrant
acknowledges and agrees that Google may collect, store, share and
otherwise use personally identifiable information provided during the
registration process and the Program, including, but not limited to,
name, mailing address, phone number, and email address. Google will use
this information in accordance with its Privacy Policy (http://www.google.com/policies/privacy/),
including for administering the Program and verifying Participant’s
identity, postal address and telephone number in the event an entry
qualifies for a reward.
Participant’s
information may also be transferred to countries outside the country of
participant's residence, including the United States. Such other
countries may not have privacy laws and regulations similar to those of
the country of participant's residence.
If
a participant does not provide the mandatory data required at
registration, Google reserves the right to disqualify the entry.
Participant
has the right to request access, review, rectification or deletion of
any personal data held by Google in connection with the Contest by
writing to Google at this email address: security@chromium.org.
13.
PUBLICITY: By accepting a reward, entrant agrees to Sponsor and its
agencies use of his or her name and/or likeness and Exploit for
advertising and promotional purposes without additional compensation,
unless prohibited by law.
14.
WARRANTY AND INDEMNITY: Entrants warrant that their Exploits are their
own original work and, as such, they are the sole and exclusive owner
and rights holder of the submitted Exploit and that they have the right
to submit the Exploit in the Program and grant all required licenses.
Each entrant agrees not to submit any Exploit that (1) infringes any
third party proprietary rights, intellectual property rights, industrial
property rights, personal or moral rights or any other rights,
including without limitation, copyright, trademark, patent, trade
secret, privacy, publicity or confidentiality obligations; or (2)
otherwise violates the applicable state, federal, provincial or local
law.
To
the maximum extent permitted by law, each entrant indemnifies and
agrees to keep indemnified Sponsor at all times from and against any
liability, claims, demands, losses, damages, costs and expenses
resulting from any act, default or omission of the entrant and/or a
breach of any warranty set forth herein. To the maximum extent permitted
by law, each entrant agrees to defend, indemnify and hold harmless the
Sponsor from and against any and all claims, actions, suits or
proceedings, as well as any and all losses, liabilities, damages, costs
and expenses (including reasonable attorneys fees) arising out of or
accruing from (a) any Esploit or other material uploaded or otherwise
provided by the entrant that infringes any copyright, trademark, trade
secret, trade dress, patent or other intellectual property right of any
person or defames any person or violates their rights of publicity or
privacy, (b) any misrepresentation made by the entrant in connection
with the Program; (c) any non-compliance by the entrant with these
Rules; (d) claims brought by persons or entities other than the parties
to these Rules arising from or related to the entrant’s involvement with
the Program; (e) acceptance, possession, misuse or use of any prize, or
participation in any Program-related activity or participation in this
Program; (f) any malfunction or other problem with the Program site; (g)
any error in the collection, processing, or retention of submission
information; or (h) any typographical or other error in the printing,
offering or announcement of any reward or reward recipients.
15.
ELIMINATION: Any false information provided within the context of the
Program by any entrant concerning identity, mailing address, telephone
number, email address, ownership of right or non-compliance with these
Rules or the like may result in the immediate elimination of the entrant
from the Program.
16.
INTERNET: Sponsor is not responsible for any malfunction of the entire
Program site or any late, lost, damaged, misdirected, incomplete,
illegible, undeliverable, or destroyed Exploits or entry materials due
to system errors, failed, incomplete or garbled computer or other
telecommunication transmission malfunctions, hardware or software
failures of any kind, lost or unavailable network connections,
typographical or system/human errors and failures, technical
malfunction(s) of any telephone network or lines, cable connections,
satellite transmissions, servers or providers, or computer equipment,
traffic congestion on the Internet or at the Program site, or any
combination thereof, including other telecommunication, cable, digital
or satellite malfunctions which may limit a participant’s ability to
participate.
17.
RIGHT TO CANCEL, MODIFY OR DISQUALIFY: If for any reason the Program is
not capable of running as planned, including infection by computer
virus, bugs, tampering, unauthorized intervention, fraud, technical
failures, or any other causes which corrupt or affect the
administration, security, fairness, integrity, or proper conduct of the
Program, Google reserves the right at its sole discretion to cancel,
terminate, modify or suspend the Program. Google further reserves the
right to disqualify any entrant who tampers with the submission process
or any other part of the Program or Program site. Any attempt by an
entrant to deliberately damage any web site, including the Program site,
or undermine the legitimate operation of the Program is a violation of
criminal and civil laws and should such an attempt be made, Google
reserves the right to seek damages from any such entrant to the fullest
extent of the applicable law.
18.
NOT AN OFFER OR CONTRACT OF EMPLOYMENT: Under no circumstances shall
the submission of a Exploit into the Program, the awarding of a reward,
or anything in these Rules be construed as an offer or contract of
employment with either Google, or any other Program entities. You
acknowledge that you have submitted your Exploit voluntarily and not in
confidence or in trust. You acknowledge that no confidential, fiduciary,
agency or other relationship or implied-in-fact contract now exists
between you and Google or any other Program entities and that no such
relationship is established by your submission of an Exploit under these
Rules.
19.
FORUM AND RECOURSE TO JUDICIAL PROCEDURES: These Rules shall be
governed by, subject to, and construed in accordance with the laws of
the State of California, United States of America, excluding all
conflict of law rules. If any provision(s) of these Rules are held to be
invalid or unenforceable, all remaining provisions hereof will remain
in full force and effect. To the extent permitted by law, the rights to
litigate, seek injunctive relief or make any other recourse to judicial
or any other procedure in case of disputes or claims resulting from or
in connection with this Program are hereby excluded, and all
participants expressly waive any and all such rights.
20.
ARBITRATION: By entering the Program, you agree that exclusive
jurisdiction for any dispute, claim, or demand related in any way to the
Program will be decided by binding arbitration. All disputes between
you and Google of whatsoever kind or nature arising out of these Rules,
shall be submitted to Judicial Arbitration and Mediation Services, Inc.
(“JAMS”) for binding arbitration under its rules then in effect in the
San Jose, California, USA area, before one arbitrator to be mutually
agreed upon by both parties. The parties agree to share equally in the
arbitration costs incurred.
20.
REWARD RECIPIENT’S LIST: Reward recipients will be posted on the
Program site for six months following the conclusion of the Program.
No comments:
Post a Comment