Google Project Zero Prize Pays $200,000 for Critical Vulnerability Chains

Google Project Zero announced a six-month Android bug bounty program that requires researchers to file bugs as they find them, rather than hoard the whole chain.

Apple isn’t the only one offering up a $200,000 reward for severe vulnerabilities on mobile devices. Google followed suit yesterday with the announcement of the Project Zero Prize, and like the Apple Security Bounty, the top payout is $200,000.

Announced by Google’s Project Zero research team, the contest began yesterday and is scheduled to run through next March 14. Researchers are invited to find critical bugs in Android, specifically on Nexus 6P and Nexus 5x devices running builds that are current for the specific device, Google said.

“The goal of this contest is to find a vulnerability or bug chain that achieves remote code execution on multiple Android devices knowing only the devices’ phone number and email address,” said Project Zero team member Natalie Silvanovich.

The program has a unique structure in that researchers will be asked to report bugs to the Android issue tracker as they are found, rather than wait until they have the full vulnerability chain ready to go.

“They can then be used as a part of submission by the participant any time during the six month contest period. Only the first person to file a bug can use it as a part of their submission, so file early and file often!” Silvanovich said. “Of course, any bugs that don’t end up being used in a submission will be considered for Android Security Rewards and any other rewards program at Google they might be eligible for after the contest has ended.”

Google said the first winning entry earns $200,000 and the second is rewarded with $100,000. Google said $50,000 prizes will be awarded to additional entries through the Android Security Rewards program.

“Our main motivation is to gain information about how these bugs and exploits work. There are often rumours of remote Android exploits, but it’s fairly rare to see one in action,” Silvanovich said. “We’re hoping this contest will improve the public body of knowledge on these types of exploits. Hopefully this will teach us what components these issues can exist in, how security mitigations are bypassed and other information that could help protect against these types of bugs.”

Once entries are verified and made eligible by Project Zero, the researcher will be asked to demonstrate it on a live device for Google. The target device will have a third-party app installed specifically for the Project Zero Prize. The app will have already written a file with a token to the internal file system.

“The entrant will then have one hour to provide the tokens, if the tokens are provided, the entry will be considered a winner,” the rules say. “Winners (but not entries) will be posted as soon as they are verified.” Google said that the only user interaction allowed is opening a Gmail or SMS message in Messenger.

“Exploit chains must be practical from an attacker perspective. Entries that take an excessive amount of time to run, substantially interfere with use of the device, give clear indications of attack or are otherwise impractical may not be accepted, at our discretion,” Google said. “The same bug chain must be used on both devices, except in the case where one device has a security feature that the other does not, in which case unique bugs may be used.”

The Apple bounty differs quite a bit in that it’s a closed bounty, available only to a select few researchers at Apple’s discretion. Announced at Black Hat this summer, the bounty will pay out its top prize for vulnerabilities and proof-of-concept code in secure boot firmware components. It will also pay $100,000 for the extraction of confidential material protected by its Secure Enclave Processor, $50,000 for code execution flaws with kernel privileges or unauthorized access to iCloud account data on Apple servers, and $25,000 access from a sandboxed process to user data outside that sandbox.

Suggested articles