Google yesterday announced a six-month bug contest that will pay up
to 0,000 for an Android "bug chain," one or more successful exploits
of previously unknown vulnerabilities.
Dubbed "Project Zero Prize," it differed from hacking contests
that take place over one or two days: Researchers can submit entries
from now until March 14, 2017. In that regard, Google's contest
resembled the limited-time bug bounties that rival Microsoft has offered
to focus on, among other areas and applications, in Windows 10's Edge browser.
In
the case of multi-exploit entries, Google also departed from the usual
contest or bounty rules by encouraging researchers to submit each link
in the bug chain as the flaws were uncovered, rather than wait until all
were in place and exploitable.
"Instead of saving up bugs until
there's an entire bug chain, and then submitting it to the Project Zero
Prize, participants are asked to report the bugs in the Android issue
tracker," wrote Natalie Silvanovich, a Google security engineer, in a post to a company blog. "They can then be used as a part of submission by the participant anytime during the six-month contest period."
It's
in each participant's interest to file bugs as soon as possible since
Google will credit only the first who submits a specific bug.
Researchers must be able to hack a Nexus 6P and
a Nexus 5X smartphone running any version of Android that is current
during the six-month stretch. "Entries where the user must open an email
in Gmail, or open an SMS in Messenger are eligible, otherwise no user
interaction is allowed," the contest's rules stated.
The
first researcher to submit a winning bug chain will be awarded
$200,000, with half of that going to the second researcher. Others will
receive at least $50,000 each.
Silvanovich touted the contest as
not only a way for Google to quash a few bugs, but to learn more about
the vulnerability marketplace. "We hope that this contest will give us
another data point on the availability of these types of exploits," she
said. "There is fairly limited public information about this subject,
and we might be able to glean some useful data from the number of
submissions."
Google announced the Project Zero Prize a week after security vendor Trend Micro spelled out Mobile Pwn2Own 2016,
a more traditional hacking contest that will run Oct. 26 and Oct. 27 in
Tokyo. Prizes at Pwn2Own range from $35,000 to $250,000, with those
targeting the Nexus 6P -- one of three smartphones on the hit list --
maxing out at $100,000.
Although Google had been a co-sponsor of Pwn2Own in the past, that relationship ended last year.
0 Comments:
Post a Comment
Your comment and facebook share will be appreciated