Google announced Tuesday that it is starting a new contest to capitalize on the success of previous vulnerability programs. The Project Zero Prize is aimed at finding a vulnerability or bug chain that achieves remote code execution on multiple Android devices knowing only the devices’ phone number and email address, said Google.
Successful submissions will be eligible for the following prizes:
First Prize: $200,000 USD, awarded to the first winning entry.
Second Prize: $100,000 USD, awarded to the second winning entry.
Third Prize: At least $50,000 USD awarded by Android Security Rewards, awarded to additional winning entries.
In addition, participants who submit a winning entry will be invited to write a short technical report on their entry, which will be posted on the Project Zero Blog, said the Google.
Participants will also be asked to report the bugs in the Android issue tracker. They can then be used as a part of submission by the participant any time during the six month contest period. Only the first person to file a bug can use it as a part of their submission.
Bugs that don’t end up being used in a submission will be considered for Android Security Rewards and any other rewards program at Google they might be eligible for after the contest has ended.
In addition, unlike other contests, the public sharing of vulnerabilities and exploits submitted is paramount. Participants will submit a full description of how their exploit works with their submission, which will eventually be published on the Project Zero blog.
Every vulnerability and exploit technique used in each winning submission will be made public, Google said.
Google’s main motivation is to gain information about how these bugs and exploits work. They are hoping to get dangerous bugs fixed so they don’t impact users. Contests often lead to types of bugs that are less commonly reported getting fixed, Google said.
Google also said that that this contest will give them another data point on the availability of these types of exploits. There is fairly limited public information about this subject, and they might be able to glean some useful data from the number of submissions.