Hacking Google’s Android mobile operating system has never been more appealing. Not because it’s used on more than 1.4 billion devices around the world, but because Google’s Project Zero will reward you with a lot of money.

"Despite the existence of vulnerability rewards programs at Google and other companies, many unique, high-quality security bugs have been discovered as a result of hacking contests," announced Natalie Silvanovich. "Hoping to continue the stream of great bugs, we’ve decided to start our own contest: The Project Zero Prize."

Before we get into the specifics, let’s take a quick look at the prizes that are up for grabs:

• 1st prize – $200,000USD.
• 2nd prize – $100,000USD.
• 3rd prize – $50,000USD.

The first winning entry will get the biggest prize, a grand total of $200K. The second winning entry will get half as much, mainly $100K. And all additional winning entries will get at least $50K via the Android Security Rewards program.

Details about the winning entries will be posted on the Project Zero Blog. Participants who submitted a winning entry will be invited to write a short technical repot that will be made available to the public via the Project Zero blog.


Winning all this money isn’t going to be easy. Google’s Project Zero asks you to find a vulnerability or bug chain that achieves remote code execution on multiple Android devices – just by knowing the devices' number and email address.

The contest lasts for 6 months, until March 14, 2017. If you find any bugs during this time, you mustn’t wait until you have an entire bug chain. Project Zero wants you to submit these bugs via the Android issue tracker. You can use these bugs as part of your submission, any time during the contest. But please note that only the first person to file a bug can use it as a part of their submission.

If you find a bug but you don’t use it in a submission, it will be considered for a reward (Android Security Rewards and any other rewards program at Google).


Why is Google’s Project Zero running such a contest? Natalie Silvanovich explains:

"Our main motivation is to gain information about how these bugs and exploits work. There are often rumours of remote Android exploits, but it’s fairly rare to see one in action. We’re hoping this contest will improve the public body of knowledge on these types of exploits. Hopefully this will teach us what components these issues can exist in, how security mitigations are bypassed and other information that could help protect against these types of bugs."

Natalie Silvanovich added that contests such as this one lead to the discovery of bugs that are less commonly reported. Project Zero hopes to find and fix these bugs so they don’t impact users. Furthermore, Project Zero hopes that the contest will offer some insight on the availability of dangerous exploits.

If you want to learn more about The Project Zero Prize, go check out the contest rules and this FAQ.


Introduced back in the summer of 2014, Project Zero is an initiative that focuses on the security of "any software depended upon by large numbers of people". A team of security experts analyzes popular software with the aim of finding security holes that could be exploited by people with malicious intent. Uncovered bugs are filed in an external database, developers are notified about these bugs, research is conducted to find solutions.

"Our objective is to significantly reduce the number of people harmed by targeted attacks," explained Google security engineer Chris Evans at the time. "We're hiring the best practically-minded security researchers and contributing 100% of their time toward improving security across the Internet.”