Google announced on Tuesday the launch of a new hacking contest that invites researchers to find serious vulnerabilities and exploit chains in the Android operating system. The search giant is prepared to pay hundreds of thousands of dollars to the winners.
The contest, named “The Project Zero Prize,” will run until March 14, 2017. Participants must find a full exploit chain that allows them to achieve remote code execution on up-to-date Nexus 6P and Nexus 5X devices by knowing only their email address and phone number – the maximum allowed user interaction is opening an email in Gmail or an SMS in Messenger.
The first winning entry will be awarded $200,000, and the second will get $100,000. All the other winning entries will receive at least $50,000. Winners will also be invited to write a short technical report describing the vulnerabilities on the Project Zero blog.
While the Project Zero Prize competition takes place over the course of six months, hackers must not hoard the flaws they find. Each bug in the chain must be submitted to the Android issue tracker as soon as possible to ensure that it’s not reported by someone else first, as only the first person to file a vulnerability can use it as part of their exploit.
“Our main motivation is to gain information about how these bugs and exploits work,” explained Natalie Silvanovich of Google’s Project Zero team. “There are often rumours of remote Android exploits, but it’s fairly rare to see one in action. We’re hoping this contest will improve the public body of knowledge on these types of exploits. Hopefully this will teach us what components these issues can exist in, how security mitigations are bypassed and other information that could help protect against these types of bugs.”
Another reason for running the contest, Silvanovich said, is to fix potentially dangerous Android vulnerabilities so that they don’t impact users. The search giant also hopes to gather some statistical data on the availability of these exploits.
Entries that don’t win any prizes as part of the competition can still qualify for a reward in the regular Android bug bounty program. In June, after paying out more than half a million dollars, Google announced that it increased Android bug bounty payouts to a maximum of $50,000 per submission.
Related: Android 7.0 Packs Re-Architected Mediaserver, Other Security Enhancements
Related: Overwhelming Majority of Android Devices Don’t Have Latest Security Patches
Related: Critical Vulnerabilities Patched in Android Mediaserver, Qualcomm Drivers
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Dole Says Employee Information Compromised in Ransomware Attack
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
Latest News
- CISA, NSA Issue Guidance for IAM Administrators
- Analysis: SEC Cybersecurity Proposals and Biden’s National Cybersecurity Strategy
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Cisco Patches High-Severity Vulnerabilities in IOS Software
- ‘Nexus’ Android Trojan Targets 450 Financial Applications
- Tackling the Challenge of Actionable Intelligence Through Context
- Dole Says Employee Information Compromised in Ransomware Attack
- Backslash Snags $8M Seed Financing for AppSec Tech
