Google has scrapped its annual one-day contest to demonstrate vulnerabilities in Chrome. In future bugs can attract rewards all the year round.

Security researchers might have expected an announcement before now about Google's annual Pwnium hacking contest that has taken place in early at CanSecWest over recent years, offering rewards potentially amounting to millions of dollars.

Now the Chromium blog has broken the silence - and changed the rules in a big way. The Pwnium contest is now never ending,  rewards pool is similarly limitless. The top reward on the Chrome Reward Program for a qualifying bug in the Chrome OS will now be $50,000. While this is a big step up for the Chrome Reward program which previously had a maximum of $15,00 (see Google Increases Maximum Bounty For Chrome Bugs), it is significantly less than the prizes of up to $150,000 awarded at previous Pwnium contests

According to the Chrome security team, moving from a once-a-year event to being a continual competition removes the barriers to entry - previously only those who had pre-registered and are were actually CanSecWest were eligible for the Pwnium rewards - and removes the incentive for "bug hoarding,  that is discovering a bug and waiting until the annual contest to report it in order to cash in. 

The Chrome Security team points out:

This is a bad scenario for all parties. It’s bad for us because the bug doesn’t get fixed immediately and our users are left at risk. It’s bad for them as they run the real risk of a bug collision. By allowing security researchers to submit bugs all year-round, collisions are significantly less likely and security researchers aren’t duplicating their efforts on the same bugs.

In addition, having asked some researchers, the team discovered that having the option to report all year round is the preferred option.

 Although Pwnium won't be at CanSecWest 2015, taking place March 18-20 in Vancouver, Canada, the longer established Pwn2Own contest organized by Hewlett Packard's Zero Day Initiative will be there. The prize funds this year are expected to total over half a million dollars in cash and non-cash awards and Google is one of the sponsors. 

The following targets and prizes have been announced on the HP Security Research blog:

Windows-based targets: 

• Google Chrome (64-bit): $75,000
• Microsoft Internet Explorer 11 (64-bit with EPM-enabled): $65,000
• Mozilla Firefox: $30,000
• Adobe Reader running in Internet Explorer 11 (64-bit with EPM-enabled): $60,000
• Adobe Flash (64-bit) running in Internet Explorer 11 (64-bit with EPM-enabled): $60,000

Mac OS X-based targets: 

• Apple Safari (64-bit): $50,000

In addition, on Windows-based targets, a contestant who achieves system-level code execution will receive an additional $25,000. Moreover, for the Google Chrome target, the Chrome Security Team will provide a top-up reward of $10,000 for any entry that can also successfully exploit the latest release of the Chrome 42 release channel even though Chrome 42 won't be on the stable channel at the time of the competition.