$4.5M Bounty: Zeroday Cloud Hacking Contest
▼ Summary
– Zeroday Cloud is a new hacking competition with a $4.5 million prize pool for exploits targeting open-source cloud and AI tools.
– The competition is organized by Wiz in partnership with Google Cloud, AWS, and Microsoft, taking place December 10-11 at Black Hat Europe in London.
– It features six categories with specific targets and bounties ranging from $10,000 to $300,000, including AI, Kubernetes, containers, web servers, databases, and DevOps tools.
– Participants must submit exploits that achieve complete compromise, such as container escape or remote code execution, and can register via HackerOne with one entry per target.
– Trend Micro accused Wiz of copying Pwn2Own rules, to which Wiz admitted being inspired by the Pwn2Own framework.
A major new hacking competition is offering a $4.5 million prize pool for security researchers who can discover and demonstrate critical vulnerabilities in widely-used open-source cloud and AI tools. Named Zeroday Cloud, this event is organized by the research division of cloud security firm Wiz, with backing from industry giants Google Cloud, AWS, and Microsoft. The contest is scheduled to take place on December 10 and 11 during the Black Hat Europe conference in London.
Participants can compete in six distinct categories, each featuring specific targets with bounties ranging from $10,000 to $300,000. The categories include AI, Kubernetes and Cloud-Native platforms, Containers and Virtualization, Web Servers, Databases, and DevOps & Automation tools. For an exploit to qualify, it must achieve a complete compromise of the target system. This means demonstrating a full container or virtual machine escape for virtualization targets, or a zero-click remote code execution vulnerability for others.
The organizers have provided detailed conditions for each target, along with technical resources like pre-configured Docker containers to help researchers test their exploits. Interested participants must register through the HackerOne platform and complete identity verification and tax documentation by November 20. While researchers can submit entries for multiple targets, they are limited to a single submission per specific target. Those whose exploits are approved will be invited to present their findings live at the event, either individually or as part of a team of up to five people.
The competition is not open to residents of countries or regions under international embargo or sanctions. This restriction applies to individuals in Russia, China, Iran, North Korea, Cuba, Sudan, Syria, Libya, Lebanon, and the regions of Crimea and Donetsk.
Following the contest’s announcement, organizers of the long-running Pwn2Own hacking competitions voiced strong objections. Trend Micro publicly accused Wiz of copying the rulebook from their Pwn2Own Ireland event. Juan Pablo Castro, Director of Cybersecurity Strategy & Technology at Trend Micro, highlighted that a comparison performed by Google’s Gemini AI showed the rules were a “word-for-word” copy.
In response, Wiz issued a statement aiming to defuse the situation. They acknowledged that the Pwn2Own rulebook served as “a trusted, mature framework by which we were inspired,” while maintaining the integrity and purpose of their own event.
(Source: Bleeping Computer)
