alphaspirit - Fotolia
Thomas Edison said: "I have not failed. I've just found 10,000 ways that won't work."
By most measures, the Google Project Zero Prize competition for Android remote exploits or bug chains was one of those "ways" that didn't work: no prizes were awarded, no bugs were uncovered and no valid entries were even submitted by the contest deadline, March 14, 2017. Taking an Edison-like attitude, the team aimed to turn their lack of success with Google's Project Zero Prize into a learning experience.
"Throughout the contest, we did not receive any valid entries or bugs (everything we received was either spam, or did not remotely resemble a contest entry as described in the rules)," wrote Google Project Zero security researcher Natalie Silvanovich. "We did hear from some teams and individuals who said they were working on the contest, but they did not submit any bugs or entries."
The Project Zero Prize team did learn some lessons which Silvanovich shared in the blog post, in which she identified three key issues that may have kept potential participants from entering the contest: the difficulty of finding an Android remote exploit, competition from other contests and the possibility that the top prizes were not enough to motivate potential successful submissions.
"It is rare for fully remote Android bugs to be reported, and it is likely that this was a sticking point for participants. The majority of Android bug chains begin with some user interaction, especially clicking a link, which was not allowed in this contest. While this type of bug is not unheard of, it is likely difficult to find quality bugs in this area," Silvanovich wrote. "This means that the timeframe of the contest or prize amount may not have been adequate to elicit this type of bug."
"I think Project Zero picked up some great lessons on how the vulnerability research and exploit developer communities work, and I'm happy they're looking into how to best focus their efforts on securing the Android platform," Tod Beardsley, director of research at Rapid7 told SearchSecurity. "The population of people who can participate in these sorts of high value bug hunts is vanishingly small. The number of talented exploit developers is, by most estimates, maybe only a couple thousand, worldwide. Of those who have the specialized skills needed for Android exploit development, is probably down in the low hundreds, at best. As Google found out, virtually all of them already have existing relationships and expectations with established bounty programs."
The $200,000 top reward in the Project Zero Prize competition was meant to be awarded to the first team to produce a "vulnerability or bug chain that achieves remote code execution on multiple Android devices knowing only the devices' phone number and email address," according to the original contest announcement last September. The second team to submit a successful entry would have won $100,000.
"I don't think Google's prize offering was necessarily too small," Beardsley said. "Exploit developers aren't completely mercenary. If the payout were the only factor, every exploit dev would all be working for private criminal or government operations, and we'd never hear from them."
Casey Ellis, CEO and founder at Bugcrowd, told SearchSecurity that "$200,000 for a defensive reward on Android seems reasonable; however the proof is in the pudding (or lack thereof) -- in this case, it clearly wasn't enough."
"What's more surprising is the lack of any rewardable bugs. It's highly unlikely that Android is completely free from RCE vulnerabilities -- all software is vulnerable. Equally unlikely is that there aren't people out there that already know about these vulnerabilities and could be motivated by the $200,000 prize. The fact that $200,000 was not enough to flush this knowledge out says something about the value of Android vulnerabilities on the offensive market, as well as on the difficulty in finding this particular class of bug in the Android operating system."
Find out more about risks of bug bounty programs
Learn about narrowing the entries in bug bounty programs
Read what Rapid7's Tod Beardsley and Rebekah Brown had to say about bug bounty programs