14 DAY TRIAL // Google announced yesterday a six-month-long hacking contest named Project Zero Prize, free to enter, during which security researchers will be tasked with developing an exploit chain capable of compromising Android devices.
Everyone is free to enter, but only the first researcher that delivers a working exploit will receive the contest's top prize, which is $200,000. Second place gets $100,000, while third place will get at least $50,000.
Contest will take place side-by-side with Google's bug bounty program
Google already runs its famous Vulnerabilities Rewards Program (VRP), the company's in-house bug bounty system, that dishes out monetary rewards for security researchers who file security bug reports.
The contest will take place in parallel with the Google Android VRP. If a researcher wants to participate in the Project Zero Prize contest, they must file a bug report with the Android VRP for all the vulnerabilities they plan to use in their exploit chain, otherwise, their entry will be disqualified.
Google said that it would reward researchers for all the bugs submitted to the Android VRP, which they did not use in the final exploit chain.
To foster competitiveness between participants, only the first researcher that files a bug report for an Android vulnerability will be allowed to use it.
A panel of judges will decide the winner
To win the big prize, researchers have to achieve an RCE (remote code execution) state on multiple devices running various Android OS versions. The researcher will know only the devices' phone numbers and email address.
To participate, researchers have to be 13 years or older. They can submit multiple entries, but they'll win just one prize.
A panel of judges will decide the winners. Below are the contest's exploit requirements. Full contest rules are available here.
“ Entries must consist of a full exploit chain providing access to third-party application files in internal storage on both Nexus 6P and Nexus 5X devices from a remote vector, and a document explaining how the exploit works, including every bug in the chain. ”
“ All vulnerabilities in an entry must have been reported in the Android Bug Tracker using this link prior to submission. ”
“ Exploits targeting any version of software available on up-to-date Nexus 5X and 6P devices throughout the Contest Period are eligible. ”
“ Entries should be sent to [email protected]. Once an entry is deemed complete and eligible, we will arrange a time a with the participant to demonstrate their exploit on live devices. The devices will be loaded with eligible software versions requested by the participant, and they will be provided with an email and US phone number on T-Mobile for the device. Each device will have a third-party application written for the purposes of the Contest installed, and this application will have written a file containing a token to the internal filesystem (path provided at time of entry). The entrant will then have one hour to provide the tokens, if the tokens are provided, the entry will be considered a winner. Winners (but not entries) will be posted as soon as they are verified. ”
“ If an entrant does not manage to obtain the tokens, but has a valid entry, they may submit again, but any entries that have been received in the meantime will get priority for prizes. ”
“ Entries where the user must open an email in Gmail, or open an SMS in Messenger are eligible, otherwise no user interaction is allowed. ”
“ Exploit chains must be practical from an attacker perspective. Entries that take an excessive amount of time to run, substantially interfere with use of the device, give clear indications of attack or are otherwise impractical may not be accepted, at our discretion. ”
“ The same bug chain must be used on both devices, except in the case where one device has a security feature that the other does not, in which case unique bugs may be used. ”
“ Exploits based on vulnerabilities reported before September 13, 2016, or reported by individuals other than the entrants are not eligible. Submissions that include bugs that have already been included in another entry are not eligible. In the case of a chain containing a duplicate (previously reported) bug, we will contact the participant, and give them a chance to resubmit. ”
“ Entries must include a list of everyone who contributed to the entry (though entrants can choose to remain anonymous when we announce the winners), and entrants can only win one prize. ”
“ Winning entries are not eligible for other vulnerability rewards programs at Google. Unsuccessful entries will be considered by those programs. ”
“ Entries for which any portion has been been disclosed to any party other than Google or vendors affected by vulnerabilities included in the exploit are ineligible. In addition, entries may be disqualified if any portion of them are disclosed to any party other than Google or affected vendors before 90 days have elapsed since submission. ”
It's safe to say that Google is looking for the next Stagefright bug, and is willing to pay to have it. Companies like Zerodium, the HackingTeam or the NSO Group also pay infosec researchers for Android zero-days if they find them useful.Prediction: Google's P0 Android $200k bug bounty will be collected by a Chinese team from Qihoo 360, Tencent or Baidu. — the grugq (@thegrugq) September 14, 2016