Google is gearing up to award at least $350,000 for its Project Zero Prize—a new hacking contest complement to its existing bug bounty program.
The goal of this contest is to find a vulnerability or bug chain that achieves remote code execution on multiple Android devices, knowing only the devices’ phone number and email address.
“Despite the existence of vulnerability rewards programs at Google and other companies, many unique, high-quality security bugs have been discovered as a result of hacking contests,” said Natalie Silvanovich, a Google “exploit enthusiast.” “Hoping to continue the stream of great bugs, we’ve decided to start our own contest.”
$200,000 will be awarded to the first winning entry, $100,000 to the second and third places and subsequent winning entries will nab $50,000, awarded by Android Security Rewards, awarded to additional winning entries.
Any bugs that don’t end up being used in a submission will be considered for Android Security Rewards and any other rewards program at Google they might be eligible for after the contest has ended. Android Security Rewards was added to Google’s Vulnerability Rewards Program to focus specifically on exploits and vulnerabilities within Google’s mobile operating system. It was launched to help secure Google’s range of Nexus devices, such as smartphones and tablets.
In addition, participants who submit a winning entry with be invited to write a short technical report on their entry about how their exploit works, which will eventually be published on the Project Zero blog. Every vulnerability and exploit technique used in each winning submission will be made public.
“This contest will be structured a bit differently than other contests,” explained Silvanovich, in a blog. “Instead of saving up bugs until there’s an entire bug chain, and then submitting it to the Project Zero Prize, participants are asked to report the bugs in the Android issue tracker. They can then be used as a part of submission by the participant any time during the six month contest period. Only the first person to file a bug can use it as a part of their submission, so file early and file often!”
She added that Google’s main motivation is to gain information about how these bugs and exploits work, and of course to fix them so they don’t impact users.
“There are often rumours of remote Android exploits, but it’s fairly rare to see one in action,” she said. “We’re hoping this contest will improve the public body of knowledge on these types of exploits. Hopefully this will teach us what components these issues can exist in, how security mitigations are bypassed and other information that could help protect against these types of bugs.”
Google has embraced the bug bounty concept wholeheartedly. To mark the first anniversary of Google’s Android Security Rewards program over the summer, the company announced an increase in how much it will pay for vulnerability reports.
For what Google calls a “high-quality vulnerability report with proof of concept,” security researchers saw payments increase 33% from $3000 (£2100, €2700) to $4000 (£2800, €3500). A high-quality vulnerability report with a proof of concept, a CTS Test, or a patch will get 50% more.
Photo © Billion Photos