Think you’ve got the hacking chops to breach a flagship Android phone? Google’s willing to pay you to prove it. On Wednesday, the Mountain View, California-based company announced Project Zero, a contest that asks enterprising hackers to demonstrate flaws in the company’s smartphone operating system in exchange for cold, hard cash.
“Despite the existence of vulnerability rewards programs at Google and other companies, many unique, high-quality security bugs have been discovered as a result of hacking contests,” Google’s Natalie Silvanovich wrote in a blog post. “The goal of this contest is to find a vulnerability or bug chain that achieves remote code execution on multiple Android devices knowing only the devices’ phone number and email address.”
Here’s how it works: Hackers who uncover a serious security bug, exploit, or flaw in Android are encouraged to publish them on the Android issue tracker, a public forum devoted to documenting
The prizes ain’t half bad. The winner of the contest takes home $200,000, while the runner-up will net $100,000. An undisclosed number of entries will be receive a consolatory prize of $50,000 as well. And there’s no way to lose: Google said bugs that aren’t submitted during the entry period may be considered for other contests like Android Security Rewards, as well as future, as-yet-unannounced promotions.
Project Zero’s impetus, Google said, was discovering bugs that would otherwise go unreported. Another motivation? Developing fixes quickly, and in some cases pre-emptively. “Our main motivation is to gain information about how these bugs and exploits work,” Silvanovich wrote.” There are often rumors of remote Android exploits, but it’s fairly rare to see one in action. We’re hoping this contest will improve the public body of knowledge on these types of exploits.”
More broadly, Google is hoping to dissuade unscrupulous types who otherwise might be inclined to sell exploits to the highest bidder. McAfee’s Center for Strategic and International Studies estimated that the cost of cybercrime is somewhere around $160 billion a year. And as use of mobile devices has climbed to unprecedented levels, the price of so-called zero-day bugs — exploits deriving from a previously unknown vulnerability — on internet black markets has mirrored that growth. A zero-day flaw in the latest version of iOS, for example, can sell for as much as $250,000, according to Wired, and some foreign governments have reportedly paid nearly half a million dollars for comparable bugs.
“We’re hoping to get dangerous bugs fixed so they don’t impact users,” Silvanovich said. “We’re [hoping] that this contest will give us another data point on the availability of these types of exploits.”
Project Zero began Wednesday.
- These Android apps are spying on you — and there’s no easy way to stop them
- Your Pixel 7 is about to get a whole lot less buggy — here’s why
- When is my phone getting Android 14? Here’s everything we know
- A new Android 14 update is here — but you still shouldn’t download it
- Your Google One plan just got 2 big security updates to keep you safe online