| {{+bindTo:partials.standard_nacl_article}} |
| |
| <b><font color="#cc0000"> |
| NOTE: |
| Deprecation of the technologies described here has been announced |
| for platforms other than ChromeOS.<br/> |
| Please visit our |
| <a href="/native-client/migration">migration guide</a> |
| for details. |
| </font></b> |
| <hr/><section id="security-contest-terms-and-conditions"> |
| <h1 id="security-contest-terms-and-conditions">Security Contest Terms and Conditions</h1> |
| <aside class="caution"> |
| The Native Client Security Contest has ended—check out the |
| <a class="reference internal" href="/native-client/community/security-contest/index.html#contest-winners"><em>winning submissions</em></a>. We welcome your |
| continued involvement in the project. You can help by submitting |
| <a class="reference external" href="http://code.google.com/p/nativeclient/issues/list">bugs</a> and |
| participating in the <a class="reference external" href="http://groups.google.com/group/native-client-discuss">Native Client discussion group</a>. |
| </aside> |
| <aside class="warning"> |
| This has been reformatted from the original, and the enumeration |
| list numbering style differs from the original document. |
| </aside> |
| <p>NO PURCHASE NECESSARY TO ENTER OR WIN. VOID WHERE PROHIBITED. CONTEST |
| IS OPEN TO RESIDENTS OF THE 50 UNITED STATES, THE DISTRICT OF COLUMBIA |
| AND WORLDWIDE, EXCEPT FOR ITALY, BRAZIL, QUEBEC, CUBA, IRAN, SYRIA, |
| NORTH KOREA, SUDAN AND MYANMAR.</p> |
| <p>ENTRY IN THIS CONTEST CONSTITUTES YOUR ACCEPTANCE OF THESE TERMS AND |
| CONDITIONS.</p> |
| <ol class="upperroman"> |
| <li><p class="first">Binding Agreement</p> |
| <p>In order to enter the Native Client Security Contest (“Contest”), |
| you must agree to these Terms and Conditions (“Terms”). Therefore, |
| please read these Terms prior to entry to ensure you understand and |
| agree. You agree that submission of an entry in the Contest |
| constitutes your agreement to these Terms. After reading the Terms |
| and in order to participate, each Participant (as defined below) |
| must complete the registration form, clicking the “I understand and |
| agree” box (or the equivalent), on the Contest entry webpage. Once |
| the Participant clicks the “I understand and agree” box (or the |
| equivalent), the Terms form a binding legal agreement between each |
| Participant and Google with respect to the Contest.</p> |
| <p>Participants may not submit an Exploit, Issue or Summary to the |
| Contest and are not eligible to receive the prizes described in |
| these Terms unless they agree to these Terms. If a Participant is |
| part of a team, each member of the team must read and agree to |
| these Terms and click on the “I understand and agree” box (or the |
| equivalent) described herein. Failure of any member of a team to |
| agree to these Terms and click on the “I understand and agree” box |
| (or the equivalent) described herein will disqualify the entire |
| team.</p> |
| <p>By entering, Participant warrants that Participant has not violated |
| any employment agreement or other restriction imposed by their |
| employer by participating in this Contest.</p> |
| </li> |
| <li><p class="first">Description</p> |
| <p>The Contest is organized by Google and is designed to motivate the |
| developer community to identify and report security Exploits (as |
| defined below) on Google’s Native Client software and reward those |
| developers who identify one or more security Exploits that are |
| evaluated as a winning exploit by the Judges.</p> |
| <p>Once a Participant has registered for the Contest, the Participant |
| will be asked to identify security Exploits in Google’s Native |
| Client Software and enter those Exploits on Google’s <a class="reference external" href="http://code.google.com/p/nativeclient/issues/list">Native Client |
| Issue Tracker</a> |
| website using the “Security Contest Template.” At this point, the |
| Exploit will become an Issue and will no longer be able to be |
| identified by another Participant. Google will then verify that the |
| Issue is reproducible. If so, that Issue will become a Verified |
| Issue. Finally, the Participant will submit a Summary of up to their |
| top ten best Issues that were submitted on the <a class="reference external" href="http://code.google.com/p/nativeclient/issues/list">Native |
| Client Issue Tracker</a>. Since it is |
| possible that an Issue may not be verified until after the Contest |
| End Date, if a Participant includes such an Issue in their Summary |
| and such Issue is not ultimately verified, then that Issue will not |
| be considered to be part of the Summary.</p> |
| <p>Prizes will be awarded to those Participants who submit the best |
| Summaries as determined in the sole discretion of the Judges when |
| considering the Judging Criteria described herein.</p> |
| </li> |
| <li><p class="first">Sponsor</p> |
| <p>The Contest is sponsored by Google Inc. (“Google” or “Sponsor”), a |
| Delaware corporation with its principal place of business at 1600 |
| Amphitheater Parkway, Mountain View, CA, 94043, USA.</p> |
| </li> |
| <li><p class="first">Term</p> |
| <p>The Contest begins at 9:00:00 A.M. Pacific Time (PT) Zone in the |
| United States on Februrary 25th, 2009 (“Contest Start Date”) and |
| ends at 11:59:59 P.M. PT on May 5th, 2009 (“Contest End |
| Date”). Participants must register by May 5th, 2009 at 11:59:59 |
| Pacific Time to be eligible to participate. ENTRANTS ARE |
| RESPONSIBLE FOR DETERMINING THE CORRESPONDING TIME ZONE IN THEIR |
| RESPECTIVE JURISDICTIONS.</p> |
| </li> |
| <li><p class="first">Definitions</p> |
| <p>Throughout these Terms, Google will use the following defined terms |
| and words. Please review them carefully to ensure you understand.</p> |
| <ol class="arabic simple"> |
| <li>Covert Channel Attack: A “Covert Channel Attack” means an |
| attempt to manipulate certain properties of a communications |
| medium in an unexpected, unconventional, or unforeseen way in |
| order to transmit information through the medium without |
| detection by anyone other than the entities operating the covert |
| channel. Exploits that are Covert Channel Attacks are excluded |
| from the Contest.</li> |
| <li>Exploit: An “Exploit” means a sequence of steps that require and |
| use Native Client to produce or have the potential to produce |
| behavior prohibited by Native Client’s security policies and |
| design which can be found at |
| <a class="reference external" href="http://src.chromium.org/viewvc/native_client/trunk/src/native_client/README.html">http://src.chromium.org/viewvc/native_client/trunk/src/native_client/README.html</a>. |
| Google reserves the right to modify the security policies and |
| design at any time. An example of an Exploit would be producing |
| file system or network access outside of the scope of |
| permissible use via JavaScript in a browser. An Exploit that |
| defeats one but not all Native Client security measures is still |
| considered to produce behavior prohibited by Native Client’s |
| security policies for the purposes of this Contest and would be |
| entitled to be identified as an Exploit in the Contest.</li> |
| <li>Inner Sandbox: The “Inner Sandbox” means the Native Client |
| security system that a) inspects executables before running them |
| to try to detect the potential for an executable to produce |
| prohibited behavior, and b) prevents from running any |
| executables that are detected to have the potential to produce |
| prohibited behavior.</li> |
| <li>Issue: An “Issue” means an entry of a single Exploit by a |
| Participant into the <a class="reference external" href="http://code.google.com/p/nativeclient/issues/list">Native Client Issue Tracker</a> using a |
| properly filled out Security Contest Template. Once the Exploit |
| has been properly entered it becomes an Issue.</li> |
| <li>Native Client Issue Tracker: The “Native Client Issue Tracker” |
| is located at |
| <a class="reference external" href="http://code.google.com/p/nativeclient/issues/list">http://code.google.com/p/nativeclient/issues/list</a>. It is a web |
| application that manages and maintains a list of Issues, |
| including Issues that are not eligible for contest entry.</li> |
| <li>Native Client Version Number: The “Native Client Version Number” |
| is defined as the number between the platform name (separated by |
| an ‘_’) and the file extension (separated by a ‘.’) in the |
| Native Client download. For example, if the the filename of the |
| download on the Native Client download page is |
| “nacl_linux_0.1_32_2009_01_16.tgz” or |
| “nacl_windows_0.1_32_2009_01_16.zip”, the Version Number is |
| “0.1_32_2009_01_16”.</li> |
| <li>Outer Sandbox: The “Outer Sandbox” means the Native Client |
| security system that 1) observes executables while they are |
| running to detect the attempts at prohibited behavior and 2) |
| terminates misbehaving executables if it observes any attempts |
| to produce prohibited behavior.</li> |
| <li>Participant: A “Participant” means any individual or team of |
| individuals that has agreed to these Terms, meets the |
| eligibility criteria described below, and is participating in |
| the Contest.</li> |
| <li>Side Channel Attack: A “Side Channel Attack” means any attack |
| based on information gained as a side-effect of the |
| implementation of a cryptosystem, rather than brute force or |
| theoretical weaknesses in the algorithms. For example, attacks |
| that use timing information, power consumption variation, |
| electromagnetic leaks or sound to obtain information illicitly |
| are side channel attacks. Exploits that are Side Channel Attacks |
| are excluded from the Contest.</li> |
| <li>Summary: A “Summary” means the final electronic document |
| complying with the requirements of Section X that each |
| Participant must submit in order to participate in the |
| Contest. A Summary may contain up to 10 Issues. If Issues do not |
| ultimately become Verified Issues, they will not be considered |
| as part of the Summary and Participant understands and accepts |
| the risk that if the Participant identified an Issue on a |
| Summary that had not yet been verified, that Issue will not be |
| considered as part of the Summary if not subsequently verified.</li> |
| <li>Verified Issue: A “Verified Issue” means an Exploit that has |
| been a) submitted to the <a class="reference external" href="http://code.google.com/p/nativeclient/issues/list">Native Client Issue Tracker</a> in |
| accordance with these Terms, and b) confirmed by the Native |
| Client team at Google to exhibit the behavior described in the |
| Issue report.</li> |
| </ol> |
| </li> |
| <li><p class="first">Eligibility</p> |
| <p>The Contest is open to Participants who (1) have agreed to these |
| Terms; (2) who are of or above the legal age of majority, at the |
| time of entry, to form valid contracts in their respective country, |
| province or state of legal residence (and at least the age of 20 in |
| Taiwan); (3) are not residents of Italy, Brazil, Quebec, Cuba, |
| Iran, Syria, North Korea, Sudan, or Myanmar; and (4) who have |
| software development experience. Sponsor reserves the right to |
| verify eligibility and to adjudicate on any dispute at any |
| time. The Contest is void in, and not open to residents of, Italy, |
| Brazil, Quebec, Cuba, Iran, Syria, North Korea, Sudan, Myanmar, or |
| to individuals and entities restricted by U.S. export controls and |
| sanctions, and is void in any other nation, state, or province |
| where prohibited or restricted by U.S. or local law.</p> |
| <p>Employees and contractors of Google, affiliates and subsidiaries of |
| Google, the Judges and members of their immediate families (defined |
| as parents, children, siblings and spouse, regardless of where they |
| reside and/or those living in the same household of each) are not |
| eligible to participate in the Contest. Judges may not help any |
| Participant with their submissions and Judges must recuse |
| themselves in cases where they have a conflict of interest that |
| becomes known to the Judge.</p> |
| </li> |
| <li><p class="first">Registration & Entry Process</p> |
| <ol class="arabic"> |
| <li><p class="first">All Participants must register at |
| code.google.com/contests/nativeclient-security/ by May 5th, 2009 |
| at 11:59:59 Pacific Time. All individuals participating in the |
| Contest (either as an individual Participant or as a member of a |
| team) must provide the following registration information:</p> |
| <ol class="loweralpha simple"> |
| <li>Email Address(es) of the Participant. The first member of a |
| team to register must list the email addresses of all |
| members of the Participant team, and all members must |
| ultimately agree to the Terms as described more fully below.</li> |
| <li>Nationality and primary place of residence of the Participant.</li> |
| <li>If the Participant is a team, the email address of the team |
| member who is selected to be the recipient of the prize. The |
| first member of the team to register will designate this |
| information in the initial team registration.</li> |
| <li>Participant name, which is the team name in the case of a |
| team or the user name chosen by an individual in the case of |
| an individual Participant.</li> |
| </ol> |
| <p>Failure to fully, completely and accurately provide this |
| information will disqualify the Entry.</p> |
| </li> |
| <li><p class="first">Any potential prize recipient may be required to show proof of |
| being the authorized account holder for an email address. The |
| “Authorized Account Holder” is the natural person assigned to an |
| email address by the relevant provider of email services.</p> |
| </li> |
| <li><p class="first">Participants that are teams must provide the above registration |
| information for every individual who is a member of the |
| team. Every individual who is part of the team must agree to the |
| Terms in order for the team to be eligible to participate by |
| clicking the “I understand and agree” box (or the equivalent) on |
| the Contest entry webpage. Members of a team will be able to |
| edit the information relating to the team only until the last |
| member of the team has accepted these Terms by clicking the “I |
| understand and agree” box (or the equivalent) on the Contest |
| entry webpage. Issues submitted by members of a team prior to |
| the time that all individual members of the team have clicked |
| the “I understand and agree” box (or the equivalent) will not be |
| valid Issue submissions and will not be eligible entries in the |
| Contest. Google will send an email to all members of the team |
| when the final team member has accepted the terms, however |
| Google will have no liability for failure to send such an email |
| or for the failure of any team member to receive the email.</p> |
| </li> |
| <li><p class="first">Issues submitted by Participants who are individuals prior to |
| the time that the individual has clicked the “I understand and |
| agree” box (or the equivalent) will not be valid Issue |
| submissions and will not be eligible entries in the |
| Contest. Google will send an email to the individual when the |
| individual has accepted the terms, however Google will have no |
| liability for failure to send such an email or for the failure |
| of any team member to receive the email.</p> |
| </li> |
| <li><p class="first">All entries become the property of Sponsor and will not be |
| acknowledged or returned. Entries are void if they are in whole |
| or part illegible, incomplete, damaged, altered, counterfeit, |
| obtained through fraud, or late.</p> |
| </li> |
| <li><p class="first">LIMIT ONE ENTRY PER PERSON. Individuals may only enter one time, |
| whether as an individual Participant or as a team |
| Participant. Google, in its sole discretion, may disqualify any |
| Participant (including team Participants) that it believes has |
| violated this provision.</p> |
| </li> |
| </ol> |
| </li> |
| <li><p class="first">Submission Process</p> |
| <ol class="arabic simple"> |
| <li>Each Participant must submit:<ol class="loweralpha"> |
| <li>At least one Issue in the <a class="reference external" href="http://code.google.com/p/nativeclient/issues/list">Native Client Issue Tracker</a> that |
| describes an Exploit and includes the information detailed |
| in the “Issues” section below. Any team member can submit an |
| Issue on behalf of the team. All entries will be deemed made |
| by the Authorized Account Holder of the email address |
| submitted at the time of entry.</li> |
| <li>One Summary per Participant that includes the information |
| detailed in the “Summary” section below. Participant will be |
| entitled to amend its Summary until the Contest End Date and |
| only the last version will be considered by the Judges.</li> |
| </ol> |
| </li> |
| <li>Each Issue must be written in the English language. Google or |
| the Judges may refuse to review submissions that they deem |
| incomprehensible, include Issues that are not repeatable as |
| determined by Google, or that otherwise do not meet the |
| requirements of these Terms.</li> |
| <li>To enter an Issue in the <a class="reference external" href="http://code.google.com/p/nativeclient/issues/list">Native Client Issue Tracker</a>, each |
| Participant must use the “Security Contest Template” and provide |
| completely and accurately all information requested by the |
| template. Any Issues that are not entered with the “Security |
| Contest Template” may not be considered by the Judges. Each |
| Issue must contain the items described in the “Issues” section |
| of these Terms.</li> |
| </ol> |
| </li> |
| <li><p class="first">Issues</p> |
| <ol class="arabic simple"> |
| <li>Minimum requirements for Issues: Participant must identify an |
| Exploit and enter the Exploit into the <a class="reference external" href="http://code.google.com/p/nativeclient/issues/list">Native Client Issue |
| Tracker</a>. Once the |
| Exploit is submitted it becomes an Issue. Each submitted Issue |
| must include (i) the following information and (ii) all |
| additional information requested on the “Security Contest |
| Template”:<ol class="loweralpha"> |
| <li>The user name (in the case of Individual Participants) or |
| the team name (in the case of team Participants) of the |
| Participant submitting the Issue, which must be identical to |
| the user name or team name submitted during the registration |
| process.</li> |
| <li>A gzipped tar archive (with paths relative to |
| nacl/googleclient/native_client/tests/) that contains any |
| instructions and files necessary to reproduce the Exploit, |
| which must include:<ol class="arabic"> |
| <li>A README.txt file that describes:<ul class="small-gap"> |
| <li>The version number of current version of Native Client |
| at the time of submission. Issues submitted with a |
| version number listed other than the current version |
| at the time of submission will be invalid;</li> |
| <li>The steps required to reproduce the Exploit;</li> |
| <li>The effect of the Exploit; and</li> |
| <li>Platform requirements for the Exploit, including but |
| not necessarily limited to:</li> |
| <li>browser version;</li> |
| <li>operating system name(s) and version(s); and/or</li> |
| <li>any other platform requirements relevant to the Exploit.</li> |
| </ul> |
| </li> |
| <li>If the Exploit requires a binary executable, both the |
| source code and binary executable must be provided upon |
| creation of the Issue. Any subsequent updates to the |
| source code or binary executable after the creation of |
| the Issue will not be considered for the purposes of |
| this Contest. The binary executable must build cleanly |
| by executing the command “make” in the exploit directory |
| (e.g. nacl/googleclient/native_client/tests/exploit1).</li> |
| </ol> |
| </li> |
| </ol> |
| </li> |
| <li>Verified Issues: In order for an Issue to become a Verified |
| Issue, Google will first examine the submitted Issue to |
| determine whether it complies with the following:<ol class="loweralpha"> |
| <li>The Exploit must not contain or depend upon access or use of |
| any third party software or code that Google does not have |
| readily available to it or that would require complying with |
| third party license agreement that Google in its sole |
| discretion deems onerous or burdensome.</li> |
| <li>Google must be able to replicate the Exploit in its sole |
| discretion.</li> |
| <li>The Exploit must affect at least one “opt-” platform from a |
| standard build of the most recent released version of Native |
| Client as of the time of submission of the Issue for the |
| Exploit.</li> |
| </ol> |
| </li> |
| <li>Timeliness<ol class="loweralpha"> |
| <li>If the vulnerability exposed by the submitted Exploit was |
| disclosed in a previously reported Issue (whether or not |
| submitted by a Participant) or in the previously published |
| Native Client release notes, the submission will be invalid |
| for the purposes of this Contest. Two Exploits are |
| considered to expose the same vulnerability if the |
| theoretical patch required to fix one vulnerability also |
| fixes the second vulnerability.</li> |
| <li>Google will update the Native Client source code base at |
| most twice per week. These updates, if they occur, will |
| appear Mondays and Thursdays between 3 p.m. and 8 |
| p.m. Pacific Time.</li> |
| <li>Issues will not be valid if they have been entered before |
| the later of (i) the Contest Start Date or (ii) the time at |
| which all members of a team Participant or the individual |
| Participant, as the case may be, have accepted these Terms.</li> |
| </ol> |
| </li> |
| <li>Excluded Exploits. The following types of Exploits are invalid |
| for the purposes of this Contest:<ul class="small-gap"> |
| <li>Covert Channel Attacks;</li> |
| <li>Sidechannel Attacks;</li> |
| <li>Exploits requiring a virtualized CPU;</li> |
| <li>Exploits that rely on features, misfeatures or defects of |
| virtual machines (i.e. VMWare, Xen, Parallels etc.);</li> |
| <li>Exploits that require the machine to be previously compromised |
| by malicious software (including but not limited to viruses or |
| malware); and</li> |
| <li>Exploits that rely on hardware failures, other than Exploits |
| which, in Google’s sole judgment, depend on CPU errata but |
| which can be reproduced reliably with a common system |
| configuration and under normal operating conditions, or |
| statistically improbable hardware behaviors. Examples include |
| but are not limited to Exploits that rely on memory errors |
| induced by cosmic radiation, and Exploits that require |
| abnormal heating, cooling or other abnormal physical |
| conditions.</li> |
| </ul> |
| </li> |
| <li>Completeness. Issues submitted that lack any of the above |
| materials or fail to meet any of the above criteria, may not be |
| considered in the judging process at Google’s sole |
| discretion. Issues that are not included in a Participant |
| Summary (see section below) will not be considered.</li> |
| </ol> |
| </li> |
| <li><p class="first">Summary</p> |
| <ol class="arabic simple"> |
| <li>Every Participant must submit a Summary at the <a class="reference external" href="http://code.google.com/p/nativeclient/issues/list">Native Client |
| Issue Tracker</a> complying |
| with the requirements of this section. The Participant must |
| select no more than 10 of the Verified Issues submitted by the |
| Participant for inclusion on the Summary. Each Summary must be |
| in English and must contain the following information:<ul class="small-gap"> |
| <li>The Issues must be listed in descending order of severity, as |
| determined by the Participant in accordance with the Judging |
| Criteria.</li> |
| <li>Each Issue listed in the Summary must be identified by ID |
| number of the Issue. The ID number is the identifying number |
| created for each Issue as listed on the <a class="reference external" href="http://code.google.com/p/nativeclient/issues/list">Native Client Issue |
| Tracker</a>.</li> |
| <li>A description of the effect of each Exploit.</li> |
| <li>The platform requirements of each Exploit.</li> |
| <li>The version number(s) of Native Client software affected by |
| each Exploit (which must be the version number of the Native |
| Client software current at the time the Issue was submitted to |
| the <a class="reference external" href="http://code.google.com/p/nativeclient/issues/list">Native Client Issue Tracker</a>).</li> |
| <li>Any other details about the Exploit and the submission that |
| are relevant to the judging criteria, such as, for example, |
| the approach used in finding the exploits, innovative or |
| scalable techniques used to discover exploits, or |
| architectural analysis.</li> |
| <li>The team name or user name of the Participant. Google may, in |
| its sole discretion, eliminate or disqualify any Summary that |
| lists user names or team names that are not identical to the |
| user name or team name of the Participant listed on the |
| Contest entry form.</li> |
| </ul> |
| </li> |
| <li>Each Summary must be a maximum of 8 pages long, in PDF format |
| viewable with Adobe Reader version 9. The Summary must be |
| formatted for 8.5 inches x11 inches or A4 paper, with a minimum |
| font size of 10 pt. Any submission that does not meet these |
| formatting criteria may be disqualified at the sole discretion |
| of Google.</li> |
| <li>All Issues listed in the Summary will be verified by Google |
| before submission of the Summary to the Judges after the Contest |
| Closing Date. Participants may submit or resubmit their Summary |
| at any time during the duration of the Contest, however, the |
| Judges will consider only the last Summary from each Participant |
| prior to the Contest Closing Date and ignore all other Summaries |
| previously submitted by the Participant.</li> |
| </ol> |
| </li> |
| <li><p class="first">Judging</p> |
| <ol class="arabic"> |
| <li><p class="first">After the Contest End Date and on or about May 15th, 2009, all |
| submitted Summaries will be judged by one of at least three |
| panels with a minimum of three experts in the field of online |
| security (“Judges”) on each panel. Judges will evaluate each |
| Summary in accordance with the Judging Criteria described |
| below. Each panel will evaluate a number of the submitted |
| Summaries using the Judging Criteria described below and will |
| select the highest ranking Summaries to move to the next level |
| of judging. During the first round of judging, each panel will |
| select no more than ten Summaries to move forward to the second |
| round of judging unless there is a tie between or among any |
| Participants. During the second round of judging, those |
| Summaries selected during the first round of judging will then |
| be evaluated by all Judges using the below Judging Criteria and |
| the top five Summaries will be selected as potential |
| winners. All decisions of the Judges are final and binding.</p> |
| </li> |
| <li><p class="first">Judging Criteria. The Judges will consider each Summary under |
| following judging criteria (“Judging Criteria”):</p> |
| <ol class="loweralpha"> |
| <li><p class="first">Quality of Exploit. Quality will be decided by the Judges in |
| their sole discretion and will be based on (in order of |
| importance to the Judges) Severity, Scope, Reliability and |
| Style.</p> |
| <ol class="lowerroman"> |
| <li><p class="first">Severity: the more disruptive the effects of the |
| Exploit, the higher its quality. Here is a |
| non-exhaustive ranking of the most common Exploits |
| starting from ‘minor’ to ‘severe’:</p> |
| <ul class="small-gap"> |
| <li><p class="first">Browser crash;</p> |
| </li> |
| <li><p class="first">Denial of service or machine crash;</p> |
| </li> |
| <li><p class="first">Compromise of the Outer Sandbox;</p> |
| </li> |
| <li><p class="first">Information leak (such as of a cookie or password);</p> |
| </li> |
| <li><p class="first">Compromise of both the Inner and Outer Sandbox; and/or</p> |
| </li> |
| <li><p class="first">Prohibited side effect (such as reading or writing |
| files to the client machine), escalation of privilege |
| (such as executing other programs outside of Native |
| Client).</p> |
| </li> |
| </ul> |
| <p>Any Exploit that does not address the above elements |
| will be evaluated on a case-by-case basis and the |
| severity of such Exploits will be determined solely at |
| the Judge’s discretion.</p> |
| </li> |
| <li><p class="first">Scope: the more computers that an Exploit would |
| potentially affect, the bigger its scope and therefore |
| higher the quality of the Exploit. Consider the |
| following:</p> |
| <ul class="small-gap"> |
| <li><p class="first">Exploits that affect all platforms supported by Native |
| Client (where platform is defined as a browser, |
| operating system and hardware combination) have higher |
| quality than an Exploit specific to a particular |
| platform.</p> |
| </li> |
| <li><p class="first">Exploits that require non-current or beta versions |
| (historic or future) of hardware or software are lower |
| quality.</p> |
| </li> |
| <li><p class="first">Exploits that rely on concurrent usage of other |
| installed software or web content must make a |
| compelling case about the likelihood of the |
| prerequisite software or content being present, or |
| they will be considered of lower quality.</p> |
| </li> |
| </ul> |
| </li> |
| <li><p class="first">Reliability: The more frequent or probable the |
| occurrence identified by the Exploit, the more |
| “reliable” it may be. Consider the following:</p> |
| <ul class="small-gap"> |
| <li><p class="first">Exploits that require uncommon software to be |
| installed on the machine in order to function will be |
| deemed to have lower quality.</p> |
| </li> |
| <li><p class="first">Entries that include Exploits that cannot be |
| reproduced 100% of the time, but which can be |
| reproduced a significant percentage of the time, will |
| be deemed to have a lower quality to account for a |
| lowered probability that the attack will succeed.</p> |
| </li> |
| </ul> |
| </li> |
| <li><p class="first">Style: Submissions that demonstrate exceptional style |
| will receive a higher ranking. Factors that contribute |
| to style include:</p> |
| <ul class="small-gap"> |
| <li><p class="first">Ingenuity in mechanism used to bypass security;</p> |
| </li> |
| <li><p class="first">Uniqueness of the Exploit;</p> |
| </li> |
| <li><p class="first">Ingenuity in methods used to discover vulnerabilities; |
| and/or Minimal size of Exploit to achieve the effect.</p> |
| </li> |
| </ul> |
| </li> |
| </ol> |
| </li> |
| <li><p class="first">the Quantity of Exploits: Participants that submit more |
| Exploits in their Summary (but no more than 10) may receive |
| a higher ranking, weighted by quality. However, it is still |
| possible that a Participant who submits one Exploit could |
| still outweigh a Participant that submits several Exploits.</p> |
| </li> |
| </ol> |
| <p>Considering each of the factors described above, the Judges will |
| give each Summary a “Score” from 1-10 that represents the Judges |
| evaluation of the Summary. This “score” will determine which |
| participants move from the first round of judging to the second |
| round of judging, and which participants will be selected as a |
| winner.</p> |
| </li> |
| <li><p class="first">Winner Selection</p> |
| <p>Judges will review the Summaries as discussed in the “Judging” |
| section, above. The Summaries with the five (5) highest scores |
| will be selected as potentially winning Participants. In the |
| event of a tie ranking for two or more Summaries, the |
| Participant whose Summary had the highest ranking for “Severity” |
| will receive the higher prize. In the event of a second tie, the |
| Participant whose Summary had the highest ranking for “Scope” |
| will receive the higher prize. Odds of winning depend on the |
| number of eligible entries received and the skill of the |
| Participants.</p> |
| <p>The Judges are under no obligation to provide feedback on their |
| decisions or on their judgment on specific Exploits they |
| consider.</p> |
| </li> |
| <li><p class="first">Team Winners</p> |
| <p>A special note about the prize distribution process for |
| Participants who are entering as part of a team:</p> |
| <p>A single member of each team shall be designated to receive the |
| prize, if any, awarded to such team at the initial registration |
| of the team, and Google shall have no responsibility for |
| distribution of the prize among the team members.</p> |
| <p>Each individual that enters as part of a team, understands and |
| agrees that if their team is selected to receive a prize, the |
| team is responsible for ensuring the funds are appropriately |
| distributed to each member of the team. In addition, once a team |
| has registered, the team may not add, remove, or substitute any |
| members or otherwise change the composition of the team for the |
| duration of the Contest. If any member of a team does not comply |
| with these Terms, is ineligible or is disqualified, the team as |
| a whole may be disqualified in Google’s sole discretion.</p> |
| </li> |
| </ol> |
| </li> |
| <li><p class="first">Prizes</p> |
| <ol class="arabic"> |
| <li><p class="first">Information Required for Eligibility</p> |
| <ol class="loweralpha simple"> |
| <li>On or about May 15th 2009 and upon selection of potential |
| winners, Google will contact all winning Participants using |
| the email addresses submitted at registration. In order to |
| win the Contest and receive prizes, Participants, including |
| each individual on a team, must provide additional |
| information including:<ul class="small-gap"> |
| <li>first and last name;</li> |
| <li>address;</li> |
| <li>phone number; and</li> |
| <li>all other necessary information required by the US tax and |
| legal authorities and /or the authorities of the countries |
| they reside in.</li> |
| </ul> |
| </li> |
| <li>All Participants will need to verify their identity with |
| Google, before receiving their prize; however, Participants |
| may provide an alias for use in any public documentation and |
| marketing material issued publicly by Google, subject to |
| limitations of the law and as required by law |
| enforcement. Please be aware that in some jurisdictions, a |
| list of winners must be made available and your name, and |
| not the alias, will be provided on that list. If a |
| Participant, or in the case of a team, any individual member |
| of the team, refuses or fails to provide the necessary |
| information to Google within 14 days of the Contest |
| administrators’ request for the required information, then |
| Google may, in its sole discretion, disqualify the |
| Participant’s entry and select as an alternative potential |
| winner the Participant with the next highest overall |
| ranking. Google will not be held responsible for any failure |
| of potential winners to receive notification that they are |
| potential winners. Except where prohibited by law, each |
| potential winner may be required to sign and return a |
| Declaration of Eligibility, Liability & Publicity Release |
| and Release of Rights and provide any additional information |
| that may be required by Google. If required, potential |
| winners must return all such required documents within 14 |
| calendar days following attempted notification or such |
| potential winner will be deemed to have forfeited the prize |
| and Google will select the Participant with the next highest |
| overall ranking as the potential winner.</li> |
| <li>Prizes will be awarded within 6 months after the Contest End Date.</li> |
| <li>If fewer than 5 Participants or teams are found eligible, |
| fewer than 5 winners will be selected.</li> |
| <li>Prizes are not transferable or substitutable, except by |
| Google in its sole discretion in the event a prize becomes |
| unavailable for any reason. In such an instance, Google will |
| award a prize of equal or greater value.</li> |
| <li>LIMIT: Only one prize per Participant.</li> |
| </ol> |
| </li> |
| <li><p class="first">Prize Amounts and Announcement</p> |
| <p>Provided that the Participant has complied with these Terms, |
| eligible Participants that are ranked in the top 5 positions of |
| the competition by Judges will receive the following awards in |
| U.S. Dollars based on their rank: 1st prize: $8,192.00, 2nd |
| prize: $4,096.00, 3rd prize: $2,048.00, 4th prize: $1,024.00, |
| 5th prize: $1,024.00. Winning Entries will be announced on or |
| about December 7th.</p> |
| </li> |
| <li><p class="first">Distribution of a Prize</p> |
| <p>Google is not responsible for any division or distribution of |
| the prizes among or between team members. Distribution or |
| division of the prize among individual team members is the sole |
| responsibility of the participating team. Google will award the |
| prize only to the one (1) member of the team, who was identified |
| by the Participant to receive the prize as part of the |
| registration process. Google will attempt to reach only the |
| designated recipient for purposes of distribution of the prize.</p> |
| <p>Prizes are awarded without warranty of any kind from Google, |
| express or implied, without limitation, except where this would |
| be contrary to federal, state, provincial, or local laws or |
| regulations. All federal, state, provincial and local laws and |
| regulations apply.</p> |
| </li> |
| <li><p class="first">Taxes</p> |
| <p>Payments to potential prize winners are subject to the express |
| requirement that they submit to Google all documentation |
| requested by Google to permit it to comply with all applicable |
| US, state, local and foreign (including provincial) tax |
| reporting and withholding requirements. All prizes will be net |
| of any taxes Google is required by law to withhold. All taxes |
| imposed on the prize are the sole responsibility of the prize |
| recipient.</p> |
| <p>In order to receive a prize, potential prize recipients must |
| submit the tax documentation requested by Google or otherwise |
| required by applicable law, to Google or the relevant tax |
| authority, all as determined by applicable law, including, where |
| relevant, the law of the potential prize recipient’s country of |
| residence. The potential prize recipient is responsible for |
| ensuring that they comply with all the applicable tax laws |
| and filing requirements. If a potential prize recipient fails to |
| provide such documentation or comply with such laws, the prize |
| may be forfeited and Google may, in its sole discretion, select |
| an alternative potential prize recipient.</p> |
| </li> |
| </ol> |
| </li> |
| <li><p class="first">General Conditions</p> |
| <ol class="arabic"> |
| <li><p class="first">Right to Disqualify. A Participant may be prohibited from |
| participating in or be disqualified from this Contest if, in |
| Google’s sole discretion, it reasonably believes that the |
| Participant or any member of a Participant team has attempted to |
| undermine the legitimate operation of the Contest by cheating, |
| deception, or other unfair playing practices or annoys, abuses, |
| threatens or harasses any other Participants, Google, or the |
| Judges. Google further reserves the right to disqualify any |
| Issue that it believes in its sole and unfettered discretion |
| infringes upon or violates the rights of any third party, |
| otherwise does not comply with these Terms, or violates U.S. or |
| applicable local law in Participant’s country of residence.</p> |
| <p>Google further reserves the right to disqualify any Participant |
| who tampers with the submission process or any other part of the |
| Contest. Any attempt by a Participant to deliberately damage any |
| website or undermine the legitimate operation of the Contest is |
| a violation of criminal and civil laws and should such an |
| attempt be made, Google reserves the right to seek damages from |
| any such Participant to the fullest extent of the applicable |
| law.</p> |
| </li> |
| <li><p class="first">Internet Disclaimer. Google is not responsible for any |
| malfunction of the entire Contest, the website displaying the |
| Contest terms and entry information, or any late, lost, damaged, |
| misdirected, incomplete, illegible, undeliverable, or destroyed |
| Exploits, Issues or Summaries due to system errors, failed, |
| incomplete or garbled computer or other telecommunication |
| transmission malfunctions, hardware or software failures of any |
| kind, lost or unavailable network connections, typographical or |
| system/human errors and failures, technical malfunction(s) of |
| any telephone network or lines, cable connections, satellite |
| transmissions, servers or providers, or computer equipment, |
| traffic congestion on the Internet or at the website displaying |
| the Contest or any combination thereof, including other |
| telecommunication, cable, digital or satellite malfunctions |
| which may limit an entrant’s ability to participate. Google is |
| not responsible for availability of the <a class="reference external" href="http://code.google.com/p/nativeclient/issues/list">Native Client Issue |
| Tracker</a> |
| from your preferred point of Internet access. In the event of a |
| technical disruption, Google may, in its sole discretion, extend |
| the Contest End Date for a reasonable period. Google will |
| attempt to notify Participants of any such extension by email at |
| the email address in the registration information, but shall |
| have no liability for any failure of such notification.</p> |
| </li> |
| <li><p class="first">Exploits Independently Discovered by Google. You acknowledge and |
| understand that Google may discover Exploits independently that |
| may be similar to or identical to your Issues in terms of |
| function, vulnerability, or in other respects. You agree that |
| you will not be entitled to any rights in, or compensation in |
| connection with, any such similar or identical applications |
| and/or ideas. You acknowledge that you have submitted your entry |
| voluntarily and not in confidence or in trust.</p> |
| </li> |
| <li><p class="first">No Contract for Employment. You acknowledge that no |
| confidential, fiduciary, agency or other relationship or |
| implied-in-fact contract now exists between you and Google and |
| that no such relationship is established by your submission of |
| an entry to Google in this Contest. Under no circumstances shall |
| the submission of an entry in the Contest, the awarding of a |
| prize, or anything in these Terms be construed as an offer or |
| contract of employment with Google.</p> |
| </li> |
| <li><p class="first">Intellectual Property Rights and License. Participants warrant |
| that their Exploit and Summary are their own original work and, |
| as such, they are the sole and exclusive owner and rights holder |
| of the submitted Exploit and Summary and that they have the |
| right to submit the Exploit and Summary in the Contest and grant |
| all required licenses. Each Participant agrees not to submit any |
| Exploit and Summary that (a) infringes any third party |
| proprietary rights, intellectual property rights, industrial |
| property rights, personal or moral rights or any other rights, |
| including without limitation, copyright, trademark, patent, |
| trade secret, privacy, publicity or confidentiality obligations; |
| or (b) otherwise violates the applicable state, federal, |
| provincial or local law.</p> |
| <p>As between Google and the Participant, the Participant retains |
| ownership of all intellectual and industrial property rights in |
| and to the Issues and Summary that Participant created. As a |
| condition of entry, Participant grants Google a perpetual, |
| irrevocable, worldwide, royalty-free, and non-exclusive license |
| to use, reproduce, publicly perform, publicly display, |
| distribute, sublicense and create a derivative work from, any |
| Issue or Summary that Participant submits to this Contest for |
| the purposes of allowing Google to test, evaluate and fix or |
| remedy the Issue and Summary for purposes of the Contest and |
| modifying or improving the Native Client software or any other |
| current or future Google product or service.</p> |
| <p>Participant also grants Google the right to reproduce and |
| distribute the Issue and the Summary. In addition, Participant |
| specifically agrees that Google shall have the right to use, |
| reproduce, publicly perform, and publicly display the Issue and |
| Summary in connection with the advertising and promotion of the |
| Native Client software or any other current or future Google |
| product or service via communication to the public or other |
| groups, including, but not limited to, the right to make |
| screenshots, animations and video clips available for |
| promotional purposes.</p> |
| </li> |
| <li><p class="first">Privacy. Participants agree that personal data provided to |
| Google during the Contest, including name, mailing address, |
| phone number, and email address may be processed, stored, and |
| otherwise used for the purposes and within the context of the |
| Contest. This data will be maintained in accordance with the |
| Google Privacy Policy found at |
| <a class="reference external" href="http://www.google.com/privacypolicy.html">http://www.google.com/privacypolicy.html</a>. This data will also be |
| transferred into the United States. By entering, Participants |
| agree to the transmission, processing, and storage of this |
| personal data in the United States.</p> |
| <p>Participants also understand this data may be used by Google in |
| order to verify a Participant’s identity, postal address and |
| telephone number in the event a Participant qualifies for a |
| prize. Participants have the right to access, review, rectify or |
| cancel any personal data held by Google in connection with the |
| Contest by writing to Google at the address listed below in the |
| section entitled “Winner’s List.”</p> |
| <p>For residents of the European Union:</p> |
| <p>Pursuant to EU law pertaining to data collection and processing, |
| you are informed that:</p> |
| <ul class="small-gap"> |
| <li><p class="first">The data controller is Google and the data recipients are |
| Google and its agents;</p> |
| </li> |
| <li><p class="first">Your data is collected for purposes of administration of the |
| Native Client Security Contest;</p> |
| </li> |
| <li><p class="first">You have a right of access to and withdrawal of your personal |
| data. You also have a right of opposition to the data |
| collection, under certain circumstances. To exercise such |
| right, You may write to: Native Client Security Contest, |
| Google Inc., 1600 Amphitheater Parkway, Mountain View, CA |
| 94043, USA.</p> |
| </li> |
| <li><p class="first">Your personal data will be transferred to the U.S.</p> |
| </li> |
| </ul> |
| </li> |
| <li><p class="first">Indemnity. To the maximum extent permitted by law, each |
| Participant indemnifies and agrees to keep indemnified Google |
| and Judges at all times from and against any liability, claims, |
| demands, losses, damages, costs and expenses resulting from any |
| act, default or omission of the Participant and/or a breach of |
| any warranty set forth herein. To the maximum extent permitted |
| by law, each Participant agrees to defend, indemnify and hold |
| harmless Google, its affiliates and their respective directors, |
| officers, employees and agents from and against any and all |
| claims, actions, suits or proceedings, as well as any and all |
| losses, liabilities, damages, costs and expenses (including |
| reasonable attorneys fees) arising out of or accruing from:</p> |
| <ol class="loweralpha simple"> |
| <li>any material uploaded or otherwise provided by the |
| Participant that infringes any copyright, trademark, trade |
| secret, trade dress, patent or other intellectual property |
| right of any person or defames any person or violates their |
| rights of publicity or privacy,</li> |
| <li>any misrepresentation made by the Participant in connection |
| with the Contest;</li> |
| <li>any non-compliance by the Participant with these Terms; and</li> |
| <li>claims brought by persons or entities other than the parties |
| to these Terms arising from or related to the Participant’s |
| involvement with the Contest.</li> |
| </ol> |
| <p>To the extent permitted by law, Participant agrees to hold |
| Google, its respective directors, officers, employees and |
| assigns harmless for any injury or damage caused or claimed to |
| be caused by participation in the Contest and/or use or |
| acceptance of any prize, except to the extent that any death or |
| personal injury is caused by the negligence of Google.</p> |
| </li> |
| <li><p class="first">Elimination. Any false information provided within the context |
| of the Contest by any Participant including information |
| concerning identity, mailing address, telephone number, email |
| address, or ownership of right, or non-compliance with these |
| Terms or the like may result in the immediate elimination of the |
| Participant from the Contest. In the event an individual who is |
| a member of a team supplies information that is covered by this |
| section, the entire team shall be disqualified.</p> |
| </li> |
| <li><p class="first">Right to Cancel. If for any reason the Contest is not capable of |
| running as planned, including infection by computer virus, bugs, |
| tampering, unauthorized intervention, fraud, technical failures, |
| or any other causes which corrupt or affect the administration, |
| security, fairness, integrity, or proper conduct of the Contest, |
| Google reserves the right at its sole discretion to cancel, |
| terminate, modify or suspend the Contest.</p> |
| </li> |
| <li><p class="first">Forum and Recourse to Judicial Procedures. These Terms shall be |
| governed by, subject to, and construed in accordance with the |
| laws of the State of California, United States of America, |
| excluding all conflict of law rules. If any provision(s) of |
| these Terms are held to be invalid or unenforceable, all |
| remaining provisions hereof will remain in full force and |
| effect. To the extent permitted by law, the rights to litigate, |
| seek injunctive relief or make any other recourse to judicial or |
| any other procedure in case of disputes or claims resulting from |
| or in connection with this Contest are hereby excluded, and all |
| Participants expressly waive any and all such rights.</p> |
| </li> |
| <li><p class="first">Arbitration. By entering the Contest, you agree that exclusive |
| jurisdiction for any dispute, claim, or demand related in any |
| way to the Contest will be decided by binding arbitration. All |
| disputes between you and Google, of whatsoever kind or nature |
| arising out of these Terms, shall be submitted to Judicial |
| Arbitration and Mediation Services, Inc. (“JAMS”) for binding |
| arbitration under its rules then in effect in the San Jose, |
| California, USA area, before one arbitrator to be mutually |
| agreed upon by both parties. The parties agree to share equally |
| in the arbitration costs incurred.</p> |
| </li> |
| <li><p class="first">Winner List</p> |
| <p>You may request a list of winners after December 7th, 2009 by |
| writing to:</p> |
| <div class="line-block"> |
| <div class="line">Native Client Security Contest</div> |
| <div class="line">Google Inc.</div> |
| <div class="line">1600 Amphitheater Parkway</div> |
| <div class="line">Mountain View, CA 94043</div> |
| <div class="line">USA</div> |
| </div> |
| <p>(Residents of Vermont need not supply postage).</p> |
| </li> |
| </ol> |
| </li> |
| </ol> |
| </section> |
| |
| {{/partials.standard_nacl_article}} |
