Project Zero Prize Turns Android Hacking Into A Contest
Bug bounties and hacking contests aren't exactly new and almost every tech firm is getting into it. In fact, even Apple just recently revealed its own rewards program for that. Not to be outdone at its own game, Google's Project Zero, the teams tasked with hunting down zero-day exploits, has announced the Project Zero Prize. On the outside, it's yet another hacking contest focusing on Android vulnerabilities. However, there are a few things that Project Zero will be doing differently during that six-month contest period.
For one, the goals of the bug hunt sounds almost insane. Contestants are to submit vulnerabilities or bug chains that will lead to remote code execution on Android devices. But to do that, all the hackers will have to know is the device's phone number and e-mail address. Nothing more. Definitely a challenge befitting the prize money.
But the process for Project Zero Prize is also different from others. The process and results are open in contrast to the conventional "security through obscurity" systems many, even Google itself, has in place. Bugs that will be used in submissions have to be reported in the Android issue trucker, which is a public place for filing bug reports. Contestants will also have to submit full descriptions of their exploits, which will be made public on the Project Zero blog.
The motivation for this unusual process, according to Project Zero, is not just to discover vulnerabilities, but to also learn more about how they work, how they spread, and more. Most of the times when there are rumored exploits on Androids, no action or actual incidents are reported. As a side effect, it also forces in some ways Android developers to quickly fix these reported bugs, as they will be under more public scrutiny.
The contest has already started and will continue for six month. The top entry will get $200,000 followed by $100,000 for the second best.
SOURCE: Google