Although Google already has programs in place to encourage hackers and developers to help identify bugs in their code, especially items that could be used as the basis of a vulnerability, some recent Android episodes have highlighted the need to step things up a notch. In response, Google’s Project Zero team announced today a new contest called the Project Zero Prize that could yield $200,000 for the winning entry.
The Project Zero team is making use of the Android issue tracker for the Project Zero Prize as the contest focuses on the Android operating system. In a bit of a twist, the team is also asking participants to submit bugs on the fly rather than waiting for an entire bug chain or a full-fledged vulnerability to be developed. Eventually, participants are expected to make a formal contest submission and only the original poster of a bug used in a submission can make use of it.
Another twist that the Project Zero team is introducing is a commitment to making the full description of how the exploits work available to the public. The team says they hope that by introducing this level of transparency it might help improve the public’s understanding of how exploits work and how successful they actually are. Project Zero notes in their announcement that it is rare to see actual exploits in action in the wild.
Some other information Google hopes to glean from the contest is what parts of the code are commonly attacked or utilized for exploits and how existing security measures are bypassed. Knowing some of this information will help mitigate weaknesses in future releases of Android code.
In order to win a prize, hackers will need to come up with a vulnerability or bug chain that allows for remote code execution on multiple devices with nothing more known about the devices than the phone number and the email address. Assuming at least some hackers are successful in their attempts and decide to participate in the Project Zero Prize instead of getting compensated through other means, the first place prize will yield $200,000. The second place prize is still a nice $100,000 payday and additional entries may be paid out at $50,000 for third place prizes.
Hackers have six months to try to put something together that achieves the remote code execution requirement. Although the team mentions “multiple” Android devices as the target, they specifically indicate the code has to work on a Nexus 6P and a Nexus 5X that is running an up-to-date version of Android, which will be Android 7.x Nougat.
If you are interested in participating in the Project Zero Prize, hit the source link for more details and contest rules.
source: Google Project Zero