Google suspects that the monetary award for its Project Zero Prize bug bounty contest may not have been high enough to stir vulnerability researchers into action.
Google suspects that the monetary award for its Project Zero Prize bug bounty contest may not have been high enough to stir vulnerability researchers into action.

Google's Project Zero Prize ironically lived up to its name when the company announced last week that not a single researcher submitted a valid entry to the company's bug bounty contest.

Launched last September, the competition tasked challengers with finding a vulnerability or bug chain that could remotely execute code on multiple Android devices without any user interaction, knowing only the devices' phone numbers and email addresses.

While several teams and individuals claimed that they were working on an entry, Google ended up receiving only spam and invalid entries that did not follow submission guidelines, the company reported.

Google acknowledged that its $200,000 grand prize may not have been sufficient enough to entice researchers. Ilia Kolochenko, CEO of web security company High-Tech Bridge, agreed, noting that Google also recently increased its bug-bounty reward for remote code execution exploits by 56.7 percent.

“This potential ‘pay-rise' for white hat hackers tells something for certain, that black hats are paying more for vulnerabilities, and even the highest bounties offered by Google and Microsoft are no longer competitive with what cybercriminals can offer now," said Kolochenko. “The rise in bounty clearly means that talented white hat security researchers are too busy with their well-paid daily jobs to bother spending time hunting risky bounties."

Google also suggested that its bug criteria may have been too narrow, and that other competitions may have drawn interest away from the Project Zero Prize.