Project Zero Security Contest Official Rules

Project Zero Security Contest Official Rules

NO PURCHASE NECESSARY TO ENTER OR WIN. VOID WHERE PROHIBITED.  CONTEST IS OPEN TO RESIDENTS OF THE 50 UNITED STATES, THE DISTRICT OF COLUMBIA AND WORLDWIDE, EXCEPT FOR ITALY, BRAZIL, QUEBEC, CRIMEA, CUBA, IRAN, SYRIA, NORTH KOREA, and SUDAN.

Term: The Contest begins at 12:00:00 A.M. Pacific Time (PT) Zone in the United States on September 13, 2016 and ends at 11:59:59 P.M. PT on March 14, 2017 (“Contest Period”). ENTRANTS ARE RESPONSIBLE FOR DETERMINING THE CORRESPONDING TIME ZONE IN THEIR RESPECTIVE JURISDICTIONS.

Sponsor: Google Inc., located at 1600 Amphitheatre Parkway, Mountain View, CA 94043, is the sponsor of this Contest ("Google").

Eligibility: The Contest is open to individuals who comply with the following criteria: (1) are over the age of eighteen (18) at the time of entry; (2) if an individual is 13 or older on the day this Contest begins, they may enter the Contest provided they have filled out a parental consent form (which will be provided by Google); (3) are not a resident of Italy, Brazil, Quebec, Cuba, Iran, Syria, North Korea, Sudan, or Crimea; (4) are not restricted by applicable export controls and sanctions programs; and (5) have access to the internet as of September 13, 2016.  Employees, officers, and directors of the member companies of Google Inc., their subsidiaries and affiliated companies, and their immediate families and those living in their households, are not eligible to participate in the Contest. VOID WHERE PROHIBITED. All federal, state and local laws and regulations apply.  Google reserves the right to verify eligibility and to adjudicate any dispute at any time.

How to Enter: Eligible participants may enter by completing the tasks as detailed in the entry requirements, and emailing project-zero-prize@google.com.

Participants may enter more than once but they can only win one prize. Participants may work in groups; however, the prize money will be awarded solely to the person who submits the entry via email. It is the sole responsibility of the registrant to distribute any potential winnings. Google assumes no liability for the distribution of payment to other group members.

Entries are void if they are in whole or in part illegible, incomplete, damaged, counterfeit, produced in error, forged, obtained through fraud or theft, or submitted in a language other than English. By entering you agree to be bound by these Official Rules and that all decisions of Google are final. If you are entering on behalf of your employer, these rules are binding on you, individually, and your company, and your company has consented to your entry and potential receipt of the Prize.

Entry Requirements:
  • Entries must consist of a full exploit chain providing access to third-party application files in internal storage on both Nexus 6P and Nexus 5X devices from a remote vector, and a document explaining how the exploit works, including every bug in the chain.
  • All vulnerabilities in an entry must have been reported in the Android Bug Tracker using this link prior to submission.
  • Exploits targeting any version of Android Nougat (7.x) software available on up-to-date Nexus 5X and 6P devices throughout the Contest Period are eligible.
  • Entries should be sent to project-zero-prize@google.com. Once an entry is deemed complete and eligible, we will arrange a time with the participant to demonstrate their exploit on live devices. The devices will be loaded with eligible software versions requested by the participant, and they will be provided with an email and US phone number on T-Mobile for the device. Each device will have a third-party application written for the purposes of the Contest installed, and this application will have written a file containing a token to the internal filesystem (path provided at time of entry). The entrant will then have one hour to provide the tokens, if the tokens are provided, the entry will be considered a winner. Winners (but not entries) will be posted as soon as they are verified.
  • If an entrant does not manage to obtain the tokens, but has a valid entry, they may submit again, but any entries that have been received in the meantime will get priority for prizes.
  • Entries where the user must open an email in Gmail, or open an SMS in Messenger are eligible, otherwise no user interaction is allowed.
  • Exploit chains must be practical from an attacker perspective. Entries that take an excessive amount of time to run, substantially interfere with use of the device, give clear indications of attack or are otherwise impractical may not be accepted, at our discretion.
  • The same bug chain must be used on both devices, except in the case where one device has a security feature that the other does not, in which case unique bugs may be used.
  • Exploits based on vulnerabilities reported before September 13, 2016, or reported by individuals other than the entrants are not eligible. Submissions that include bugs that have already been included in another entry are not eligible. In the case of a chain containing a duplicate (previously reported) bug, we will contact the participant, and give them a chance to resubmit.
  • Entries must include a list of everyone who contributed to the entry (though entrants can choose to remain anonymous when we announce the winners), and entrants can only win one prize.
  • Winning entries are not eligible for other vulnerability rewards programs at Google. Unsuccessful entries will be considered by those programs.
  • Entries for which any portion has been been disclosed to any party other than Google or vendors affected by vulnerabilities included in the exploit are ineligible. In addition, entries may be disqualified if any portion of them are disclosed to any party other than Google or affected vendors before 90 days have elapsed since submission.

Judging: Entries must meet the requirements listed above. If an entry meets these requirements, entries will be awarded in the order they are submitted to project-zero-prize@google.com. That is, the first entry to meet the requirements will be awarded first prize, the second entry to meet the requirements will be awarded second prize, etc.. The judges will only decide whether entries meet the requirements, not which prizes are awarded to each entry.

On a rolling basis, the potential winner(s) will be selected and notified by email. If a potential winner does not respond to the notification attempt within 7 days from the first notification attempt, then such potential winner will lose their priority for winning first or second place and an alternate potential winner will be selected from among all eligible entries received based on the judging criteria described herein.  

In the event that no entries meeting the requirements are received, no prize will be awarded.  Determinations of judges are final and binding.

Privacy: Google will be collecting personal data about participants when they register and enter the Contest. Google will treat this data in accordance with its privacy policy, located at http://www.google.com/intl/en/privacypolicy.html. In addition, Google may use and share your personal data with third parties in order to fulfill its obligation to administer and sponsor this Contest.

Prizes:
  • First Prize - Awarded to the first winning entry. $200,000 and a guest blog post on the Project Zero Blog.
  • Second Prize - Awarded to the second winning entry. $100,000 and a guest blog post on the Project Zero Blog.
  • Third Prize - Awarded to additional winning entries. At least $50,000 awarded by Android Security Rewards and a guest post on the Project Zero Blog.

Prize may be subject to terms, restrictions and conditions imposed by Google. Google and its affiliates, subsidiaries and related companies, or their respective officers, directors, employees, representatives and agents will not be liable for unsuccessful efforts to notify a winner. The prize will be paid within six (6) months of notification of the winner. No prize transfer, assignment or substitution by winner permitted except at Sponsor’s sole discretion. If the prize becomes unavailable, Sponsor reserves the right to substitute a prize of equal or greater value.  All federal, state and local taxes, fees and surcharges on prizes are the sole responsibility of the winner. If the potential winner declines the prize, does not respond to the prize notification, fails to claim the prize, is unavailable for prize fulfillment, fails to abide by the Official Rules, or is ineligible, Google may select an alternate winner from all remaining eligible entries.  In the event the potential winner is a minor, his or her parent or legal guardian must sign any necessary documents and return them as requested by Google. Blog posts must be technical reports explaining the winning entry. Google reserves the right to edit or not post blog posts for any reason.

Publicity: By accepting a prize, entrant agrees to Sponsor and its agencies’ use of his or her name and/or likeness and code for advertising and promotional purposes without additional compensation, unless prohibited by law.  However, entrant may choose to remain anonymous or use a pseudonym if they do not wish to reveal their name.

Intellectual Property Rights: By submitting code in this Contest, the entrant agrees that all original code in their entry may be released by Google under the Apache License 2.0 or any open source licence in use by the Android Open Source Project.  

Warranty, Indemnity and Release: Entrants warrant that their entry is 1) their own original work and they are the sole and exclusive owner and rights holder of the submitted code, binaries, and accompanying text or 2) that they have obtained all necessary rights and licenses to submit the entry to the Contest.  Each entrant agrees not to submit any code, binaries, text or other material that (1) infringes any third party proprietary rights, intellectual property rights, industrial property rights, personal or moral rights or any other rights, including without limitation, copyright, trademark, patent, trade secret, privacy, publicity or confidentiality obligations; or (2) otherwise violates the applicable state or federal law.

To the maximum extent permitted by law, each entrant indemnifies and agrees to keep indemnified Google at all times from and against any liability, claims, demands, losses, damages, costs and expenses resulting from any act, default or omission of the entrant and/or a breach of any warranty set forth herein. To the maximum extent permitted by law, each entrant agrees to defend, indemnify and hold harmless Google and its affiliates from and against any and all claims, actions, suits or proceedings, as well as any and all losses, liabilities, damages, costs and expenses (including reasonable attorneys fees) arising out of or accruing from (a) any code or other material uploaded or otherwise provided by the entrant that infringes any copyright, trademark, trade secret, trade dress, patent or other intellectual property right of any person or defames any person or violates their rights of publicity or privacy, (b) any misrepresentation made by the entrant in connection with the Contest; (c) any non-compliance by the entrant with these Official Rules; (d) claims brought by persons or entities other than the parties to these Official Rules arising from or related to the entrant’s involvement with the Contest; and (e) acceptance, possession, misuse or use of any prize or participation in any Contest-related activity or participation in this Contest.

Entrant releases Google from any liability associated with: (a) any malfunction or other problem with the Contest Site; (b) any error in the collection, processing, or retention of entry information; or (c) any typographical or other error in the printing, offering or announcement of any prize or winners.

Right to Cancel:  If for any reason the Contest is not capable of running as planned, including tampering, unauthorized intervention, fraud, technical failures, printing errors, or any other causes which corrupt or affect the administration, security, fairness, integrity, or proper conduct of the Contest, Google reserves the right at its sole discretion to cancel, terminate, modify or suspend the Contest. Google further reserves the right to disqualify any entrant who tampers with the submission process, cheats, deceives, abuses, annoys, or threatens  any other entrants or Judges.   

Limitation of Liability & Disclaimer of Warranties: IN NO EVENT WILL GOOGLE OR ITS AFFILIATES, SUBSIDIARIES AND RELATED COMPANIES, OR THEIR RESPECTIVE OFFICERS, DIRECTORS, EMPLOYEES, REPRESENTATIVES AND AGENTS, BE RESPONSIBLE OR LIABLE FOR ANY DAMAGES OR LOSSES OF ANY KIND, INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES ARISING OUT OF YOUR PARTICIPATION IN THE CONTEST OR FOR ANY ACTION OR OMISSION MADE IN CONNECTION WITH THE CONTEST. WITHOUT LIMITING THE FOREGOING, EVERYTHING IN THESE RULES AND IN THIS CONTEST, INCLUDING THE PRIZES AWARDED, IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. SOME JURISDICTIONS MAY NOT ALLOW THE LIMITATIONS OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES OR EXCLUSION OF IMPLIED WARRANTIES SO SOME OF THE ABOVE LIMITATIONS OR EXCLUSIONS MAY NOT APPLY TO YOU. CHECK YOUR LOCAL LAWS FOR ANY RESTRICTIONS OR LIMITATIONS REGARDING THESE LIMITATIONS OR EXCLUSIONS.

Governing Law. This Contest is governed by the laws of California without regard to the conflict of laws provision.

Privacy Policy: Entries to this contest will be handled in accordance with Google's privacy policy (https://www.google.com/intl/en/policies/privacy/)

23 comments:

  1. Not saying this can't be done, but man this is a set of strict rules, honestly i find it likely that zero to few winners(unlikely that all three prizes will be taken) will be found, unless they have some exploit involveing a firmware update(but without keys even that is not feasible), Androids security at least from remote access has gotten fairly impenetrable at this point and such exploits our rare.

    ReplyDelete
  2. There are other bugs that can be easy exploited, without the limitation of only open an SMS or email, and yes, the Google services and APIs are also exploitable with that in mind.

    ReplyDelete
  3. There are many laws and regulations regarding contests in Italy, and this contest doesn't meet all the requirements, so unfortunately we cannot accept entries from Italy.

    ReplyDelete
  4. Where's "Stagefright" from this?!

    ReplyDelete
  5. Could you clarify the following
    1."Each device will have a third-party application written for the purposes of the Contest installed, and this application will have written a file containing a token to the internal filesystem (path provided at time of entry). The entrant will then have one hour to provide the tokens"
    Does this mean that the executable code that the exploit delivers, must read a token file and display the token on the screen ? or deliver the token to the exploiter by some other means?
    2. What interactions other than opening a mail in gmail or SMS are allowed? Can user click on a link?
    3. Are the phones on which the explit will run, unlocked?
    Thanks Andy

    ReplyDelete
    Replies
    1. Andy, I'd assume these are from factory locked (the fastboot unlockable locked, not carrier locked) phones. No user interaction allowed per the rules (outside of opening said text or email), that was pretty clear. As for #1 it sounds like they want you to get the file, but I'm curious about that as well. Assuming you can get in, it's likely you could read it, email it, etc without issues.

      Delete
  6. Email and phone number exploits? Where is the email and phone number acquired from?

    ReplyDelete
    Replies
    1. They will be provided once your exploits are ready to be demonstrated live.

      Delete
  7. Lastimável o Brasil não participar. Decepcionado!
    Pitiable Brazil does not participate. Disappointed!

    Daniel Cantuária

    ReplyDelete
  8. for which version of android I can file bug ?

    ReplyDelete
    Replies
    1. Obviously mentioned there. Android 7.0 in Nexus 5x/6p.

      Delete
  9. Please clarify:
    "Entries must consist of a full exploit chain providing access to third-party application files in internal storage on both Nexus 6P and Nexus 5X devices from a remote vector..."
    What if it works on one device and not the other? Will the prize still be awarded?
    Thanks
    Andy

    ReplyDelete
  10. Zero interaction exploits for 200k or less, good luck with that... :(

    ReplyDelete
  11. There are other bugs that can be easy exploited, without the limitation of only open an SMS or email, and yes, the Google services and APIs are also exploitable with that in mind

    ReplyDelete
  12. This contest available also in India.?

    ReplyDelete