Google has issued a challenge to bug hunters around the world: find a vulnerability or bug chain that achieves remote code execution on multiple Android devices knowing only the devices’ phone number and email address, and you’ll be handsomely rewarded.
The Project Zero Prize is a contest that will run until March 14, 2017, and successful contestants will vie for the top prize of $200,000. Those that come second will get half of that, and the third at least $50,000.
“Exploits targeting any version of software available on up-to-date Nexus 5X and 6P devices throughout the Contest Period are eligible,” Google says, and adds that exploit chains must be practical from an attacker perspective.
“Entries where the user must open an email in Gmail, or open an SMS in Messenger are eligible, otherwise no user interaction is allowed. The same bug chain must be used on both devices, except in the case where one device has a security feature that the other does not, in which case unique bugs may be used,” the company also noted.
Also, entrants can’t publish vulnerability or attack details until 90 days have elapsed since submission, otherwise they will be disqualified.
“This contest will be structured a bit differently than other contests. Instead of saving up bugs until there’s an entire bug chain, and then submitting it to the Project Zero Prize, participants are asked to report the bugs in the Android issue tracker,” Project Zero security researcher Natalie Silvanovich explained.
“They can then be used as a part of submission by the participant any time during the six month contest period. Only the first person to file a bug can use it as a part of their submission, so file early and file often! Of course, any bugs that don’t end up being used in a submission will be considered for Android Security Rewards and any other rewards program at Google they might be eligible for after the contest has ended.
Over the years, Google has set up several bug bounty programs, but its software and devices were also often successfully targeted during various hacking contests.
The company is hoping that this one will lead to the uncovering of some high-quality security bugs that have so far eluded their researchers.
“There are often rumours of remote Android exploits, but it’s fairly rare to see one in action. We’re hoping this contest will improve the public body of knowledge on these types of exploits. Hopefully this will teach us what components these issues can exist in, how security mitigations are bypassed and other information that could help protect against these types of bugs,” Silvanovich pointed out, and added that the contest could also give them some insight into the general availability of these types of exploits.