“Despite the existence of vulnerability rewards programs at Google and other companies, many unique, high-quality security bugs have been discovered as a result of hacking contests,” Google’s Natalie Silvanovich wrote in a blog post. “The goal of this contest is to find a vulnerability or bug chain that achieves remote code execution on multiple Android devices knowing only the devices’ phone number and email address.”
Here’s how it works: Hackers who uncover a serious security bug, exploit, or flaw in Android are encouraged to publish them on the Android issue tracker, a public forum devoted to documenting Android issues, from visual glitches to wonky Wi-Fi. Posts will have to be detailed — contest participants must share a “full description” of how the exploit works with the expectation that, if verified independently, they’ll be published on a public Google blog. They’ll have to work on Google’s branded Nexus devices, the Huawei-made Nexus 6P and LG’s Nexus 5X, plus any devices running an up-to-date build of Android 7.0 Nougat. And the more, the better — reported bugs can contribute to a larger Project Zero submission at any time during the contest’s six-month period, Google said.
The prizes ain’t half bad. The winner of the contest takes home $200,000, while the runner-up will net $100,000. An undisclosed number of entries will be receive a consolatory prize of $50,000 as well. And there’s no way to lose: Google said bugs that aren’t submitted during the entry period may be considered for other contests like Android Security Rewards, as well as future, as-yet-unannounced promotions.
Project Zero’s impetus, Google said, was discovering bugs that would otherwise go unreported. Another motivation? Developing fixes quickly, and in some cases pre-emptively. “Our main motivation is to gain information about how these bugs and exploits work,” Silvanovich wrote.” There are often rumors of remote Android exploits, but it’s fairly rare to see one in action. We’re hoping this contest will improve the public body of knowledge on these types of exploits.”
More broadly, Google is hoping to dissuade unscrupulous types who otherwise might be inclined to sell exploits to the highest bidder. McAfee’s Center for Strategic and International Studies estimated that the cost of cybercrime is somewhere around $160 billion a year. And as use of mobile devices has climbed to unprecedented levels, the price of so-called zero-day bugs — exploits deriving from a previously unknown vulnerability — on internet black markets has mirrored that growth. A zero-day flaw in the latest version of iOS, for example, can sell for as much as $250,000, according to Wired, and some foreign governments have reportedly paid nearly half a million dollars for comparable bugs.
“We’re hoping to get dangerous bugs fixed so they don’t impact users,” Silvanovich said. “We’re [hoping] that this contest will give us another data point on the availability of these types of exploits.”
Project Zero began Wednesday.
