Announcing the Project Zero Prize by Natalie Silvanovich.
Before reading the “official” post, consider this Dilbert cartoon.
Same logic applies here:
How to compare alternatives? ($200K sets a minimum bid.)
Potential for repeat business?
For a pwn of any Android phone, $200K sounds a bit “lite.”
Watch the Android issue tracker. A third-party bidder won’t insist on you using only your reported bugs in an exploit chain.
Before anyone gets indignant, the NSA, CIA, the “Russians,” Chinese, Mossad, etc., will all be watching as well. Think of it as having “governmental” ethics.
From the post:
Despite the existence of vulnerability rewards programs at Google and other companies, many unique, high-quality security bugs have been discovered as a result of hacking contests. Hoping to continue the stream of great bugs, we’ve decided to start our own contest: The Project Zero Prize.
The goal of this contest is to find a vulnerability or bug chain that achieves remote code execution on multiple Android devices knowing only the devices’ phone number and email address. Successful submissions will be eligible for the following prizes.
First Prize
$200,000 USD, awarded to the first winning entry.
Second Prize
$100,000 USD, awarded to the second winning entry.
Third Prize
At least $50,000 USD awarded by Android Security Rewards, awarded to additional winning entries.
In addition, participants who submit a winning entry will be invited to write a short technical report on their entry, which will be posted on the Project Zero Blog.
Contest Structure
This contest will be structured a bit differently than other contests. Instead of saving up bugs until there’s an entire bug chain, and then submitting it to the Project Zero Prize, participants are asked to report the bugs in the Android issue tracker. They can then be used as a part of submission by the participant any time during the six month contest period. Only the first person to file a bug can use it as a part of their submission, so file early and file often! Of course, any bugs that don’t end up being used in a submission will be considered for Android Security Rewards and any other rewards program at Google they might be eligible for after the contest has ended.
In addition, unlike other contests, the public sharing of vulnerabilities and exploits submitted is paramount. Participants will submit a full description of how their exploit works with their submission, which will eventually be published on the Project Zero blog. Every vulnerability and exploit technique used in each winning submission will be made public.
Contest period:
The Contest begins at 12:00:00 A.M. Pacific Time (PT) Zone in the United States on September 13, 2016 and ends at 11:59:59 P.M. PT on March 14, 2017 (“Contest Period”).
Good hunting!
PS: If possible, post the paid price for your exploit to help set the market price for future such exploits.