Google has launched a new competition called the Project Zero Prize that challenges security researchers to find vulnerabilities or bug chains in Android devices. The catch is that these flaws should achieve remote code execution on devices, while knowing only the phone number and email address. The first winning entry will win $200,000 (approx. Rs. 1,33,79,000), while the second prize is $100,000 (approx. Rs. 66,89,500). Additional winning entries stand to win at least $50,000 (approx. Rs. 33,44,750), which will be awarded by Android Security Rewards. Further, those who submit a winning entry will be invited to write a short technical report on their entry, which will be posted on the Project Zero Blog.
Google has also asked contestants to submit bugs as they come across them. The bugs are to be reported via the Android issue tracker and these bugs can be used as a part of the submission by a participant at anytime during the six month long contest. Further, only the first person who fined a bug will be able to use it as part of the submission. However, any bugs that are not used in a submission will still be considered for Android Security Rewards. The vulnerabilities and exploits used in the winning submission will be made public.
The aim of the contest is to learn how these bugs and exploits work. Project Zero’s Natalie Silvanovich stated, We’re hoping this contest will improve the public body of knowledge on these types of exploits. Hopefully this will teach us what components these issues can exist in, how security mitigations are bypassed and other information that could help protect against these types of bugs.” She also said that these contests often lead to less commonly reported bugs getting fixed, which should lead to a less buggy OS.