Google offers $200K for top prize in new Android hack challenge

Launches limited-time 'bug chain' contest to root out security vulnerabilities

Google yesterday announced a six-month bug contest that will pay up to $200,000 for an Android "bug chain," one or more successful exploits of previously unknown vulnerabilities.

Dubbed "Project Zero Prize," it differed from hacking contests that take place over one or two days: Researchers can submit entries from now until March 14, 2017. In that regard, Google's contest resembled the limited-time bug bounties that rival Microsoft has offered to focus on, among other areas and applications, in Windows 10's Edge browser.

In the case of multi-exploit entries, Google also departed from the usual contest or bounty rules by encouraging researchers to submit each link in the bug chain as the flaws were uncovered, rather than wait until all were in place and exploitable.

"Instead of saving up bugs until there's an entire bug chain, and then submitting it to the Project Zero Prize, participants are asked to report the bugs in the Android issue tracker," wrote Natalie Silvanovich, a Google security engineer, in a post to a company blog. "They can then be used as a part of submission by the participant anytime during the six-month contest period."

It's in each participant's interest to file bugs as soon as possible since Google will credit only the first who submits a specific bug.

Researchers must be able to hack a Nexus 6P and a Nexus 5X smartphone running any version of Android that is current during the six-month stretch. "Entries where the user must open an email in Gmail, or open an SMS in Messenger are eligible, otherwise no user interaction is allowed," the contest's rules stated.

The first researcher to submit a winning bug chain will be awarded $200,000, with half of that going to the second researcher. Others will receive at least $50,000 each.

Silvanovich touted the contest as not only a way for Google to quash a few bugs, but to learn more about the vulnerability marketplace. "We hope that this contest will give us another data point on the availability of these types of exploits," she said. "There is fairly limited public information about this subject, and we might be able to glean some useful data from the number of submissions."

Google announced the Project Zero Prize a week after security vendor Trend Micro spelled out Mobile Pwn2Own 2016, a more traditional hacking contest that will run Oct. 26 and Oct. 27 in Tokyo. Prizes at Pwn2Own range from $35,000 to $250,000, with those targeting the Nexus 6P -- one of three smartphones on the hit list -- maxing out at $100,000.

Although Google had been a co-sponsor of Pwn2Own in the past, that relationship ended last year.

Join the CSO newsletter!

Error: Please check your email address.

Tags GoogleAndroidhacking

More about GoogleMessengerMicrosoftTrend Micro

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts