The Google’s Project Zero security team did not receive even a single valid submission in their US$350,000 (A$458,000) bug bounty prize for finding zero-day flaws.
The submission period for Google’s Project Zero is six-month and it now came to an end. The security team told “everything we received is either a spam, or did not remotely resemble to a contest entry as described in the contest rules”.
The high stakes prize asked the researchers to compete and find any existing vulnerability or bug chain which would allow a remote code execution to be carried out on Android devices, knowing only just the devices’ email address and phone number.
But not even a single entry came forward, prompting Project Zero team to hypothesise that the US$200,000 first prize is simply isn’t big enough to make a disclosure like that worthwhile.
“It is difficult to determine the correct prize amount for this kind of contest, and the fact that we did not receive any entries at all suggests that the prize amount might have been very low considering the type of bugs required to win a contest like this,” the Project Zero’s Natalie Silvanovich said.
After a period of soul-searching, Project Zero team said it is also possible that the specific type of vulnerability it asked for was just too difficult to find, or maybe it did not give researchers a long enough time to work within.
“Overall, this contest was a learning experience for us, and we hope to put what we have learned to use in Google’s rewards programs and other future contests,” Silvanovich said.
When Google announced the competition back in September, it said it hoped to intercept any remote code execution flaws before they could impact Android users.
“Contests often lead to types of bugs that are less commonly reported getting fixed, so we’re hoping this contest leads to at least a few bugs being fixed in Android.”