Big bounty offered to expose remote vulnerabilities on Android devices
Google has announced plans to offer a significant reward to anyone capable of uncovering severe vulnerabilities on Android mobile devices. The Project Zero Prize is worth up to $200,000
The prize was first offered on September 13 and will be available until March 14. Anyone with research expertise is invited to search for critical Android bugs, particularly as they apply to Nexus 6P and Nexus 5x devices running the most current builds.
Bounty bug programs of this sort are not unique, however the amount that Google is offering is significantly larger than normal. The tech giant is also taking the unusual step of requesting that vulnerabilities be reported immediately even if they are not yet fully understood. If the issue exposed is found to contribute to vulnerabilities exposed by other researchers, only the first person/team to claim it will receive credit. The goal of this approach is to expedite the resolution process and prevent the issue of “bug hoarding” in which researchers wait to disclose vulnerabilities in order to claim a larger bounty.
A prize of $200,000 will be given to the first winning entry, with $100,000 going to the second and an undisclosed number of $50,000 prizes being awarded though the Android Security Rewards program.
Google Staffer Natalie Silvanovich said in a press release announcing the Project Zero Prize that “Our main motivation is to gain information about how these bugs and exploits work. There are often rumors of remote Android exploits, but it’s fairly rare to see one in action. We’re hoping this contest will improve the public body of knowledge on these types of exploits. Hopefully this will teach us what components these issues can exist in, how security mitigations are bypassed and other information that could help protect against these types of bugs.”
After a bug has been found and claimed, the researcher will be required to demonstrate it in a live settings. The bug must allow the researchers to access a specific file on the device, and the only interaction allowed with the device will be opening Gmail or Messanger. Guideline for the prize winners state that the exploits must take a limited amount to time to initiate, not interfere with the function of the device, and not give clear indication that the device is being exploited.
Apple announced a similar program with an identical top prize in early August. The only major difference is that the Apple bounty program is only open to a select number of researchers who have received an explicit invitation.