Just in:
Following the Money Trail: US and UK Investigate $20 Billion in USDT Transfers Tied to Sanctioned Russian Exchange // 2024 Lok Sabha Elections Will Be The Costliest One Till Now In The Whole World // Universal Language for Healthcare: General Authority Embraces Global Coding System // Simplified Business Moves for Al Reem Island Firms // Global Audience to Witness Thrill of Dubai World Cup // Emirati Aid Reaches Ukraine as Food Shortages Bite // Sunshine’s Debut Features Leave Tech World Scratching Its Head // Samsung Partners National Heritage Board to Bring a Slice of Singapore’s Cultural Heritage to Samsung The Frame TV // First-Ever Fortune Innovation Forum Draws Top Global Leaders to Hong Kong, Promoting Agendas On Collective Cross-Sector Advancement // Experience Ultimate Shopping Freedom at 4.4 Shopee Spree: Don’t Worry, Shop Shopee! // CABSAT 2024 Ushers in 30 Years of Media Innovation // A Tightrope Saudi Walk Towards Net-Zero // U.S. Compliance Takes Center Stage at OKX Following Industry Jitters // Saudi Arabia Unveils Green Financing Tool to Achieve Net-Zero Goals // French Leaders Gather for Interfaith Iftar Dinner // Melco Style Presents “SANRIO CHARACTERS STUDIO CITY CARNIVAL” – Explore a SANRIO World of Unlimited Love and Cuteness // Sharjah Chamber Breaks Ground on Final Expansion with New HQ Pact // Samsung Electronics Launches 2024 Neo QLED 8K, Neo QLED, and OLED Displays to Spark the AI Screen Era // No running of govt from jail, says Delhi Lt Governor // Aid is at the core of Israel, Palestine struggle to control post-war Gaza //
HomeBiz TechDidn't we offer you enough? Google's $350,000 Project Zero prize attracts junk entries

Didn't we offer you enough? Google's $350,000 Project Zero prize attracts junk entries

1491156796 mansmartphoneistock 493694552

mansmartphoneistock-493694552.jpg

The Project Zero Prize sought bugs that gave an remote code execution on multiple Android devices when only the phone number and email address of the target device were known.


Image: Laurent Delhourme, Getty Images/iStockphoto

Google’s Project Zero bug-hunting group hoped that launching a special six-month hacker prize with a top payout of $200,000 would uncover novel remote code execution (RCE) attacks on Android. However, the prize has now concluded with not only no winners, but not a single valid entry.

“Everything we received was either spam, or did not remotely resemble a contest entry as described in the rules,” wrote Project Zero member Natalie Silvanovich.

ADVERTISEMENT

Google announced the Project Zero Prize in September, offering hackers $200,000 for the winning entry, $100,000 for the runner-up, and $50,000 to additional winning entries. It differed from Google’s other rewards programs, which pay researchers for qualifying bugs, and from contests that incentivize hackers to save up bugs for a larger prize on competition day.

Instead, the Project Zero Prize sought a bug or series of bugs that gave an RCE on multiple Android devices when only the phone number and email address of the target device were known.

Also, the attack mustn’t require user interaction, such as clicking on a malicious link. In other words, they were hoping to find a bug like Stagefright, which could be exploited merely by receiving a malicious media file.

Hackers were also required to report the bugs in the Android issue tracker as they’re found, with the assurance to the first reporter of each bug that he or she had exclusive rights to use that bug as part of a chained attack.

Project Zero hoped to pick the best out of a selection of submissions, as well as gather knowledge about the market for trading zero-day vulnerabilities.

The group accounted for the possibility that it would fail to attract any submissions, noting that in this event it would still learn something, but it was expecting at least a few submissions.

Project Zero’s discussions with hackers about the prize point to several issues that caused the lack of entries, according to Silvanovich.

The first is that excluding attacks that required user interaction may have set the bar too high. Silvanovich said it is “likely that this was a sticking point for participants”.

“While this type of bug is not unheard of, it is likely difficult to find quality bugs in this area. This means that the timeframe of the contest or prize amount may not have been adequate to elicit this type of bug,” Silvanovich wrote.

A second potential obstacle was the rule requiring contestants to submit bugs on the go, even before a full chain had been achieved.

“We underestimated the impact of other contests on participants’ incentives,” noted Silvanovich.

“We expected these rules to encourage participants to file any bugs they found immediately, as only the first finder could use a specific bug, and multiple reports of the same Android bug are fairly common. Instead, some participants chose to save their bugs for other contests that had lower prize amounts but allowed user interaction, and accept the risk that someone else might report them in the meantime.”

Finally, Project Zero is taking the absence of entries to mean the prizes were too low, given the difficulty of the rules for the contest.

On the bright side, Silvanovich said the contest was a learning experience that may help inform future contests.

More on security

(via PCMag)

ADVERTISEMENT

ADVERTISEMENT
Just in:
Simplified Business Moves for Al Reem Island Firms // Universal Language for Healthcare: General Authority Embraces Global Coding System // Samsung Partners National Heritage Board to Bring a Slice of Singapore’s Cultural Heritage to Samsung The Frame TV // First-Ever Fortune Innovation Forum Draws Top Global Leaders to Hong Kong, Promoting Agendas On Collective Cross-Sector Advancement // Andertoons by Mark Anderson for Fri, 29 Mar 2024 // DrGo launches DrGo Me+ Ready Pack portable nutritional supplement pack // US reiterates concern over Kejriwal arrest, Cong accounts // Samsung Electronics Launches 2024 Neo QLED 8K, Neo QLED, and OLED Displays to Spark the AI Screen Era // Following the Money Trail: US and UK Investigate $20 Billion in USDT Transfers Tied to Sanctioned Russian Exchange // Hong Kong Crypto Exchange Application Stalled by US Lawsuit // TUMI Hosts Global Launch Event in Singapore to Unveil Women’s Asra Collection and Announce Global Ambassador, Mun Ka Young // U.S. Compliance Takes Center Stage at OKX Following Industry Jitters // German Job Market Resilience Bodes Well for Economic Recovery // CABSAT 2024 Ushers in 30 Years of Media Innovation // Sunshine’s Debut Features Leave Tech World Scratching Its Head // A Tightrope Saudi Walk Towards Net-Zero // Global Audience to Witness Thrill of Dubai World Cup // Melco Style Presents “SANRIO CHARACTERS STUDIO CITY CARNIVAL” – Explore a SANRIO World of Unlimited Love and Cuteness // Experience Ultimate Shopping Freedom at 4.4 Shopee Spree: Don’t Worry, Shop Shopee! // Digital Hub Unveiled: Xposure Launches Platform for Global Photography Community //