Tuesday, September 13, 2016

Announcing the Project Zero Prize

Posted by Natalie Silvanovich, Exploit Enthusiast


Despite the existence of vulnerability rewards programs at Google and other companies, many unique, high-quality security bugs have been discovered as a result of hacking contests. Hoping to continue the stream of great bugs, we’ve decided to start our own contest: The Project Zero Prize.

The goal of this contest is to find a vulnerability or bug chain that achieves remote code execution on multiple Android devices knowing only the devices’ phone number and email address. Successful submissions will be eligible for the following prizes.

First Prize

$200,000 USD, awarded to the first winning entry.   

Second Prize

$100,000 USD, awarded to the second winning entry.

Third Prize

At least $50,000 USD awarded by Android Security Rewards, awarded to additional winning entries.

In addition, participants who submit a winning entry will be invited to write a short technical report on their entry, which will be posted on the Project Zero Blog.

Contest Structure


This contest will be structured a bit differently than other contests. Instead of saving up bugs until there’s an entire bug chain, and then submitting it to the Project Zero Prize, participants are asked to report the bugs in the Android issue tracker. They can then be used as a part of submission by the participant any time during the six month contest period. Only the first person to file a bug can use it as a part of their submission, so file early and file often! Of course, any bugs that don’t end up being used in a submission will be considered for Android Security Rewards and any other rewards program at Google they might be eligible for after the contest has ended.

In addition, unlike other contests, the public sharing of vulnerabilities and exploits submitted is paramount. Participants will submit a full description of how their exploit works with their submission, which will eventually be published on the Project Zero blog. Every vulnerability and exploit technique used in each winning submission will be made public.

Motivation


So why are we doing yet another hacking contest? Our main motivation is to gain information about how these bugs and exploits work. There are often rumours of remote Android exploits, but it’s fairly rare to see one in action. We’re hoping this contest will improve the public body of knowledge on these types of exploits. Hopefully this will teach us what components these issues can exist in, how security mitigations are bypassed and other information that could help protect against these types of bugs.

Also, we’re hoping to get dangerous bugs fixed so they don’t impact users. Contests often lead to types of bugs that are less commonly reported getting fixed, so we’re hoping this contest leads to at least a few bugs being fixed in Android.

Finally, we hope that this contest will give us another data point on the availability of these types of exploits. There is fairly limited public information about this subject, and we might be able to glean some useful data from the number of submissions. Of course, a contest can never truly replicate the market conditions within which vulnerabilities are bought and sold, but it still provides at least some interesting information.  If the first prize is won in thirty seconds, we learn something. If there are no submissions, we learn something. But we’re expecting we’ll get something in between.

Interested? See the full contest rules and frequently asked questions for more information, including how to submit. The contest starts today!

Happy Hunting!

20 comments:

  1. If one could do this, the exploit could be sold to other companies or entities for a much higher price.

    ReplyDelete
    Replies
    1. Companies i doubt it, governments maybe, but you would have to know people to even get to the point you could sell it. Unless you talking about the government contractors that deal with this stuff, then yeah maybe

      Delete
  2. Is fishing/spear fishing allowed? Or are we to assume no user interaction to achieve remote code execution?

    ReplyDelete
    Replies
    1. We should not make any interaction with the victims phone and all we need to hack is to find the phone number and email address connected with their android device.( Nexus 6p and 5x itself only)

      Delete
    2. That'd be far to easy. I'm assuming there is no social engineering allowed.

      Delete
  3. This is very possible and I know how. They wanna know how you do it so they can make it to where you can't anymore and paying a low price for the information. I would tell them for $1 million. Not for 200,000

    ReplyDelete
    Replies
    1. I got a sweet deal for you, how about you share it me instead, I send it over to Google and I'll donate all 200k to St. Jude. That way you annonymously helped and didn't sell your secret short. Deal? I'll wait for your email.

      Delete
  4. Only 200K? Mehhhhh, find out yourself stingy ass. Many buyers out there could pay more than this price… 200k not worth for finding needle under haystack. This vulnerable can sell much more better price than this reward…

    ReplyDelete
  5. Yes, it's 100% true fact that, If one could do this, the exploit could be sold to other companies or entities for a much higher price.

    ReplyDelete
  6. If one could do this, the exploit could be sold to other companies or entities for a much higher price.

    ReplyDelete
    Replies
    1. copy, pasting comments since time immemorial?!

      Delete
  7. Obviously the shady companies selling surveillance/hacking software to govs to be used on disturbing purposes would pay more than Google's bounty. However, it's good to see that Google is offering a moderate bounty for the security researchers that have a moral backbone to submit the bugs so that they can be fixed.

    ReplyDelete
  8. Residentes no Brasil não podem participar?!!
    https://googleprojectzero.blogspot.com.br/p/project-zero-security-contest-official.html

    ReplyDelete
  9. unfortunately I do not have the skills...

    ReplyDelete
  10. Would it count if we were to develop an app, which contains code that would do this?

    ReplyDelete