$4.5M Prize: New Cloud Hacking Challenge Opens
▼ Summary
– Wiz has launched the Zeroday.Cloud hacking competition with $4.5 million in total bug bounties for exploits against widely used cloud software.
– The competition is organized in partnership with AWS, Google Cloud, and Microsoft, and entries must be submitted by December 1 for live demonstrations at Black Hat Europe in London.
– It features six categories including AI, Kubernetes, containers, web servers, databases, and DevOps, with prizes ranging from $10,000 to $300,000 for specific exploits.
– Exploits must achieve total compromise of the target, such as container/VM escape or 0-click remote code execution, as specified by Wiz’s vulnerability research head.
– The competition faces controversy as Trend Micro’s Zero Day Initiative accuses Wiz of copying parts of its rules for the event.
A major new cybersecurity initiative is offering researchers unprecedented rewards for uncovering critical vulnerabilities in cloud infrastructure. Wiz, in collaboration with industry titans AWS, Google Cloud, and Microsoft, has launched the Zeroday.Cloud hacking competition, featuring a staggering $4.5 million total prize pool. Security experts have until December 1 to submit their entries, with the finalists scheduled to perform their exploits live at the Black Hat Europe conference in London this December.
The contest is structured across six distinct technology categories, each with its own lucrative reward tiers. The artificial intelligence category presents bounties from $25,000 to $40,000 for successful attacks on platforms like Ollama, vLLM, and the Nvidia Container Toolkit. For those specializing in Kubernetes and cloud-native environments, the potential earnings are even higher. Exploits targeting the Kubernetes API Server can net researchers as much as $80,000, while vulnerabilities in Kubelet Server, Grafana, Prometheus, and Fluent Bit carry rewards between $10,000 and $80,000.
Container and virtualization technologies represent another high-value target. The competition will pay out between $30,000 and $60,000 for critical flaws discovered in Docker, Containerd, and the Linux Kernel. Web server exploits offer some of the most substantial individual prizes, with Nginx vulnerabilities commanding a top reward of $300,000. Successful demonstrations against Tomcat can earn $100,000, and researchers may receive up to $50,000 for uncovering security issues in Caddy and Envoy.
Database security is also a primary focus. The organizers are prepared to award up to $100,000 for unauthenticated remote code execution exploits affecting Redis, PostgreSQL, and MariaDB. Furthermore, the DevOps and automation software category covers tools like Apache Airflow, Jenkins, and GitLab CE, with maximum bounties set at $40,000.
According to Nir Ohfeld, Wiz’s Head of Vulnerability Research, the bar for a successful submission is set exceptionally high. He clarified that exploits must achieve “total compromise of the target,” which translates to a full container or VM escape in the virtualization category, or a zero-click remote code execution vulnerability for all other targets.
Despite the significant backing and ambitious scope, the competition has not been without controversy. Rival firm Trend Micro has publicly alleged that Wiz copied sections of the competition rules verbatim from its own long-running Pwn2Own hacking contest, which is operated by the Zero Day Initiative (ZDI). This claim introduces a contentious element to an otherwise high-profile event aimed at strengthening cloud security across the entire industry.
(Source: Security Week)
