Posted by Natalie Silvanovich, Exploit Enthusiast
Despite the existence of vulnerability rewards programs at Google and other companies, many unique, high-quality security bugs have been discovered as a result of hacking contests. Hoping to continue the stream of great bugs, we’ve decided to start our own contest: The Project Zero Prize.
The goal of this contest is to find a vulnerability or bug chain that achieves remote code execution on multiple Android devices knowing only the devices’ phone number and email address. Successful submissions will be eligible for the following prizes.
$200,000 USD, awarded to the first winning entry.
$100,000 USD, awarded to the second winning entry.
At least $50,000 USD awarded by Android Security Rewards, awarded to additional winning entries.
In addition, participants who submit a winning entry will be invited to write a short technical report on their entry, which will be posted on the Project Zero Blog.
This contest will be structured a bit differently than other contests. Instead of saving up bugs until there’s an entire bug chain, and then submitting it to the Project Zero Prize, participants are asked to report the bugs in the Android issue tracker. They can then be used as a part of submission by the participant any time during the six month contest period. Only the first person to file a bug can use it as a part of their submission, so file early and file often! Of course, any bugs that don’t end up being used in a submission will be considered for Android Security Rewards and any other rewards program at Google they might be eligible for after the contest has ended.
In addition, unlike other contests, the public sharing of vulnerabilities and exploits submitted is paramount. Participants will submit a full description of how their exploit works with their submission, which will eventually be published on the Project Zero blog. Every vulnerability and exploit technique used in each winning submission will be made public.
So why are we doing yet another hacking contest? Our main motivation is to gain information about how these bugs and exploits work. There are often rumours of remote Android exploits, but it’s fairly rare to see one in action. We’re hoping this contest will improve the public body of knowledge on these types of exploits. Hopefully this will teach us what components these issues can exist in, how security mitigations are bypassed and other information that could help protect against these types of bugs.
Also, we’re hoping to get dangerous bugs fixed so they don’t impact users. Contests often lead to types of bugs that are less commonly reported getting fixed, so we’re hoping this contest leads to at least a few bugs being fixed in Android.
Finally, we hope that this contest will give us another data point on the availability of these types of exploits. There is fairly limited public information about this subject, and we might be able to glean some useful data from the number of submissions. Of course, a contest can never truly replicate the market conditions within which vulnerabilities are bought and sold, but it still provides at least some interesting information. If the first prize is won in thirty seconds, we learn something. If there are no submissions, we learn something. But we’re expecting we’ll get something in between.
Interested? See the full contest rules and frequently asked questions for more information, including how to submit. The contest starts today!