Google yesterday announced a six-month bug contest that will pay up to $200,000 for an Android "bug chain," one or more successful exploits of previously unknown vulnerabilities.
Dubbed "Project Zero Prize," it differed from hacking contests that take place over one or two days: Researchers can submit entries from now until March 14, 2017. In that regard, Google's contest resembled the limited-time bug bounties that rival Microsoft has offered to focus on, among other areas and applications, in Windows 10's Edge browser.
In the case of multi-exploit entries, Google also departed from the usual contest or bounty rules by encouraging researchers to submit each link in the bug chain as the flaws were uncovered, rather than wait until all were in place and exploitable.
"Instead of saving up bugs until there's an entire bug chain, and then submitting it to the Project Zero Prize, participants are asked to report the bugs in the Android issue tracker," wrote Natalie Silvanovich, a Google security engineer, in a post to a company blog. "They can then be used as a part of submission by the participant anytime during the six-month contest period."
It's in each participant's interest to file bugs as soon as possible since Google will credit only the first who submits a specific bug.
Researchers must be able to hack a Nexus 6P and a Nexus 5X smartphone running any version of Android that is current during the six-month stretch. "Entries where the user must open an email in Gmail, or open an SMS in Messenger are eligible, otherwise no user interaction is allowed," the contest's rules stated.
The first researcher to submit a winning bug chain will be awarded $200,000, with half of that going to the second researcher. Others will receive at least $50,000 each.
Silvanovich touted the contest as not only a way for Google to quash a few bugs, but to learn more about the vulnerability marketplace. "We hope that this contest will give us another data point on the availability of these types of exploits," she said. "There is fairly limited public information about this subject, and we might be able to glean some useful data from the number of submissions."
Google announced the Project Zero Prize a week after security vendor Trend Micro spelled out Mobile Pwn2Own 2016, a more traditional hacking contest that will run Oct. 26 and Oct. 27 in Tokyo. Prizes at Pwn2Own range from $35,000 to $250,000, with those targeting the Nexus 6P -- one of three smartphones on the hit list -- maxing out at $100,000.
Although Google had been a co-sponsor of Pwn2Own in the past, that relationship ended last year.