Google launches Project Zero bug hunting competition

Researchers interested in breaking Android security can earn themselves up to $200,000.

crednopsec.png
NopSec

Google has launched The Project Zero Prize, a competition slated as a way to find and destroy critical Android vulnerabilities before attackers exploit dangerous Android vulnerabilities in the wild.

Project Zero security researcher Natalie Silvanovich revealed the competition on Tuesday. In a blog post, Silvanovich said that despite the constant stream of bug discoveries coming from Google's security team, "many unique, high-quality security bugs have been discovered as a result of hacking contests."

As a result, the tech giant has decided to run its own contest in the quest for interesting, severe Android security bugs.

Google is asking researchers interested in competing in The Project Zero Prize scheme to focus on vulnerabilities or bug chains which would allow attackers to perform remote code execution on multiple Android devices. However, there is a catch -- Google wants you to start with only the device's phone number and email address.

Exploits which successfully target any version of Android Nougat on Nexus 5X and 6P devices are eligible for the competition.

If security researchers are able to find exploitable flaws which are this severe, and then submit them through the program, there are a number of prizes on offer. The first prize, worth $200,000, will be awarded to the first winning entry. The second prize is worth $100,000, and a third valid entry will earn researchers at least $50,000.

Google will also consider other entries for rewards through the Android Security Rewards program.

The search engine giant does not want participants to save up their bugs until the last minute. Instead, Google asks that researchers submit bugs through the Android issue tracker as they find them -- and they do not need to be a full vulnerability chain -- and these entries can then be used as part of a contest submission during The Project Zero Prize, which will last six months.

Silvanovich commented:

"There are often rumours of remote Android exploits, but it's fairly rare to see one in action. We're hoping this contest will improve the public body of knowledge on these types of exploits. Hopefully this will teach us what components these issues can exist in, how security mitigations are bypassed and other information that could help protect against these types of bugs.

Also, we're hoping to get dangerous bugs fixed so they don't impact users."

After the competition has ended, the winning vulnerabilities and exploits will all be disclosed publicly.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All