Google announced on Tuesday the launch of a new hacking contest that invites researchers to find serious vulnerabilities and exploit chains in the Android operating system. The search giant is prepared to pay hundreds of thousands of dollars to the winners.
The contest, named “The Project Zero Prize,” will run until March 14, 2017. Participants must find a full exploit chain that allows them to achieve remote code execution on up-to-date Nexus 6P and Nexus 5X devices by knowing only their email address and phone number – the maximum allowed user interaction is opening an email in Gmail or an SMS in Messenger.
The first winning entry will be awarded $200,000, and the second will get $100,000. All the other winning entries will receive at least $50,000. Winners will also be invited to write a short technical report describing the vulnerabilities on the Project Zero blog.
While the Project Zero Prize competition takes place over the course of six months, hackers must not hoard the flaws they find. Each bug in the chain must be submitted to the Android issue tracker as soon as possible to ensure that it’s not reported by someone else first, as only the first person to file a vulnerability can use it as part of their exploit.
“Our main motivation is to gain information about how these bugs and exploits work,” explained Natalie Silvanovich of Google’s Project Zero team. “There are often rumours of remote Android exploits, but it’s fairly rare to see one in action. We’re hoping this contest will improve the public body of knowledge on these types of exploits. Hopefully this will teach us what components these issues can exist in, how security mitigations are bypassed and other information that could help protect against these types of bugs.”
Another reason for running the contest, Silvanovich said, is to fix potentially dangerous Android vulnerabilities so that they don’t impact users. The search giant also hopes to gather some statistical data on the availability of these exploits.
Entries that don’t win any prizes as part of the competition can still qualify for a reward in the regular Android bug bounty program. In June, after paying out more than half a million dollars, Google announced that it increased Android bug bounty payouts to a maximum of $50,000 per submission.