Calling all hackers and security researchers: Google wants to pay you money. Quite a lot, in fact. Google’s Project Zero team which is dedicated to making the web a safer place for everyone, has announced on their official blog that they’re now going to hold their very own contest called ‘The Project Zero Prize.’ The contest offers a large amont of $200,000 as the first prize.
Beginning Tuesday (US Time) and ending on March 14, 2017, Google’s contest will be paying cash prizes to contestants who can hack a Nexus 6P and 5X but be aware, that prize doesn’t go to any old run of the mill vulnerability. In order to be eligible, participants must find “a vulnerability or bug chain that achieves remote code execution on multiple Android devices knowing only the devices’ phone number and email address.”
A user can open an email in Gmail or an SMS text in Messenger. However, no other user interaction beyond that is allowed for the hacker to take advantage of. The same bug should be used on both Nexus devices, unless it takes advantage of a security feature one of the smartphones has that the other does not. That’s a tall order, and it may be possible that nobody wins..
The contest period lasts for six months having begun yesterday for some, which may seem like a long time but it has to do with the “structure” of the contest that Project Zero has set up. According to the contest guidelines, entrants need to send in their research in the form of an Android issue tracker report, then send in that annotated issue to the Project Zero team for consideration. That means unlike other contests where one finds a bug, exploits it and moves further, creating a chain of such bugs and submits the findings collectively a the end, the entrants in the Project Zero contest will need to report each bug as they find it.
Additionally, only the person who submitted the bug to the Android Issue Tracker is allowed to use that bug as part of his or her submission, so Project Zero recommends that participants report their bugs to the tracker as early and as often as they can. Project Zero also notes that if a bug is not used, it may still be eligible for Google’s various rewards programs for Android bugs, although not until after the contest has ended. Once winners are selected they’ll be invited to write up their discoveries for the Project Zero blog.
The frist prize, as mentioned before is $200,000, the second prize is $100,000 and the third prize is $50,000 which is a lot as well. The prizes will be awarded by Android Security Rewards
Source: Project Zero blog