Google’s Project Zero bug-hunting group hoped that launching a special six-month hacker prize with a top payout of $200,000 would uncover novel remote code execution (RCE) attacks on Android. However, the prize has now concluded with not only no winners, but not a single valid entry.
“Everything we received was either spam, or did not remotely resemble a contest entry as described in the rules,” wrote Project Zero member Natalie Silvanovich.
Google announced the Project Zero Prize in September, offering hackers $200,000 for the winning entry, $100,000 for the runner-up, and $50,000 to additional winning entries. It differed from Google’s other rewards programs, which pay researchers for qualifying bugs, and from contests that incentivize hackers to save up bugs for a larger prize on competition day.
Instead, the Project Zero Prize sought a bug or series of bugs that gave an RCE on multiple Android devices when only the phone number and email address of the target device were known.
Also, the attack mustn’t require user interaction, such as clicking on a malicious link. In other words, they were hoping to find a bug like Stagefright, which could be exploited merely by receiving a malicious media file.
Hackers were also required to report the bugs in the Android issue tracker as they’re found, with the assurance to the first reporter of each bug that he or she had exclusive rights to use that bug as part of a chained attack.
Project Zero hoped to pick the best out of a selection of submissions, as well as gather knowledge about the market for trading zero-day vulnerabilities.
The group accounted for the possibility that it would fail to attract any submissions, noting that in this event it would still learn something, but it was expecting at least a few submissions.
Project Zero’s discussions with hackers about the prize point to several issues that caused the lack of entries, according to Silvanovich.
The first is that excluding attacks that required user interaction may have set the bar too high. Silvanovich said it is “likely that this was a sticking point for participants”.
“While this type of bug is not unheard of, it is likely difficult to find quality bugs in this area. This means that the timeframe of the contest or prize amount may not have been adequate to elicit this type of bug,” Silvanovich wrote.
A second potential obstacle was the rule requiring contestants to submit bugs on the go, even before a full chain had been achieved.
“We underestimated the impact of other contests on participants’ incentives,” noted Silvanovich.
“We expected these rules to encourage participants to file any bugs they found immediately, as only the first finder could use a specific bug, and multiple reports of the same Android bug are fairly common. Instead, some participants chose to save their bugs for other contests that had lower prize amounts but allowed user interaction, and accept the risk that someone else might report them in the meantime.”
Finally, Project Zero is taking the absence of entries to mean the prizes were too low, given the difficulty of the rules for the contest.
On the bright side, Silvanovich said the contest was a learning experience that may help inform future contests.