Google reported last week that its Project Zero Prize contest was not as successful as the company hoped it would be – no valid Android exploits were submitted and no prizes were awarded.
In September, Google announced the start of a six-month Android hacking contest that invited researchers to submit serious vulnerabilities and exploit chains. The first winning entry was offered $200,000, and the second would have received $100,000. Other entries were promised at least $50,000.
While some research teams and individuals informed the company of their intention to take part in the contest, ultimately, no one submitted any valid bugs, said Google Project Zero’s Natalie Silvanovich. Some vulnerability reports were submitted, but they were not eligible for a reward under the rules of the Project Zero Prize.
Google believes three main factors led to the lack of entries. One of them was the level of difficulty – hackers were required to find a full exploit chain that allowed remote code execution on up-to-date Nexus 6P and Nexus 5X devices by knowing only their email address and phone number. The targeted user could only open an email in Gmail or an SMS in Messenger.
Project Zero Prize participants were encouraged to submit partial exploits during the contest as the rules only allowed the first submitter to use a certain vulnerability during the contest.
“We expected these rules to encourage participants to file any bugs they found immediately, as only the first finder could use a specific bug, and multiple reports of the same Android bug are fairly common,” Silvanovich explained. “Instead, some participants chose to save their bugs for other contests that had lower prize amounts but allowed user interaction, and accept the risk that someone else might report them in the meantime.”
The tech giant also believes the prizes offered in the contest may have been too small for the types of vulnerabilities that were required. For example, zero-day acquisition firm Zerodium also offers up to $200,000 for Android rooting exploits and they can fetch much more on the black market.
While this contest was not a success, researchers do find plenty of vulnerabilities in Android. Google revealed recently that it paid out roughly $1 million for Android flaws reported last year through its vulnerability reward program.