In addition to the security rewards program that Google launched for Android last year, Google has today announced The Project Zero Prize, a competition designed to highlight vulnerabilities affecting Android.
The competition opens today and runs through until March 14, next year, offering up to $200,000 for first prize, with $100,000 on offer for second prize and $50,000 for third prize as part of the Android Security Rewards for additional winning entries.
So, what do they want? Google is looking to find ‘a vulnerability or bug chain that achieves remote code execution on multiple Android devices knowing only the devices’ phone number and email address’. The exploit must provide access to third party application files on the internal storage of both a Nexus 5X and 6P from a remote vector.
All entries have to be submitted to the Android Issue Tracker, along with a document explaining how the exploit works. Google also advises that partial entries can be strung together once an entire exploit is found. Google specifically says:
Instead of saving up bugs until there’s an entire bug chain, and then submitting it to the Project Zero Prize, participants are asked to report the bugs in the Android issue tracker. They can then be used as a part of submission by the participant any time during the six month contest period. Only the first person to file a bug can use it as a part of their submission, so file early and file often!
Google sees The Project Zero Prize as a PR exercise as well as a potential source of bugs being found, stating ‘There are often rumours of remote Android exploits, but it’s fairly rare to see one in action’. Google hopes the contest will improve the public knowledge of these remote exploits in a bid to stave them off.
If you’re a security researcher or interested in hacking in Android you can read more about the Project Zero Prize in the Terms and Conditions here.