Hacking contests are not new in the tech world and the latest one has come from Google's Project Zero team. The team has launched a hacking contest in order to find critical security flaws in Android. The winner of the competition will take home a cash prize of $200,000.
According to the team, the goal of this contest is "to find a vulnerability or bug chain that achieves remote code execution on multiple Android devices knowing only the devices' phone number and email address," said Natalie Silvanovich, Project Zero Exploit Enthusiast, in a blog post. To recall, Project Zero was first formed in 2014, and is a team of security researchers that looks for zero-day exploits so that they can be patched before being discovered by the ill-intentioned.
The contest structure is a little different as the entrants don't have to wait for the entire bug chain to form and can start the submission of their entry with Android Issue Tracker. After the initial entry of the bug, the participant can use it any time as part of its submission during the length of the 6-month competition.
It is important to note that the bug reported by a particular participant can only be used by that participant later on. Participants are required to submit a full description of how their exploit works, and this description will be eventually published on the team's official blog.
The Project Zero team has clarified that every vulnerability and exploit technique used in each winning submission will be made public. Besides the winning entry, the company will be giving away $100,000 as the second prize and $50,000 will be split among other entrants.
Of course, the Internet already has bug bounty program called Google Security Reward Programs for all its products, and in June last year, it introduced a specific Android Security Rewards program. The company recently revealed it had paid out $550,000 to Android bug researchers since the program was initiated, and, that it was increasing the rewards for each type of vulnerability found.
So just why is it starting a separate hacking contest? Silvanovich explains, "Despite the existence of vulnerability rewards programs at Google and other companies, many unique, high-quality security bugs have been discovered as a result of hacking contests. Hoping to continue the stream of great bugs, we've decided to start our own contest: The Project Zero Prize."
Silvanovich adds, "Our main motivation is to gain information about how these bugs and exploits work. There are often rumours of remote Android exploits, but it's fairly rare to see one in action. We're hoping this contest will improve the public body of knowledge on these types of exploits. Hopefully this will teach us what components these issues can exist in, how security mitigations are bypassed and other information that could help protect against these types of bugs... Also, we're hoping to get dangerous bugs fixed so they don't impact users. Contests often lead to types of bugs that are less commonly reported getting fixed, so we're hoping this contest leads to at least a few bugs being fixed in Android."