A new hacking competition called Zeroday Cloud, focused on open-source cloud and AI tools, announced a total prize pool of $4.5 million in bug bounties for researchers that submit exploits for various targets.
The contest is launched by the research arm of cloud security company Wiz in partnership with Google Cloud, AWS, and Microsoft, and is scheduled for December 10 and 11 at the Black Hat Europe conference in London, UK.
Zeroday Cloud has six separate categories researchers can participate in, with bug bounties between $10,000 and $300,000:
- AI – Ollama ($25k), Vllm ($25k), Nvidia Container Toolkit ($40k)
- Kubernetes and Cloud-Native – Kubernetes API Server ($80k), Kubelet Server ($40k), Grafana ($10k auth RCE, $40k pre-auth RCE), Prometheus ($40k), Fluent Bit ($10k)
- Containers and Virtualization – Docker ($40 user-provided image, $60k arbitrary image), Containerd ($40 user-provided image, $60k arbitrary image), Linux Kernel ($30k container escape on Ubuntu)
- Web Servers – nginx ($300k), Apache Tomcat ($100k), Envoy ($50k), Caddy ($50k)
- Databases – Redis ($25k auth RCE, $100k pre-auth RCE), PostgreSQL ($20k auth RCE, $100k pre-auth RCE), MariaDB ($20k auth RCE, $100k pre-auth RCE)
- DevOps & Automation – Apache Airflow ($40k), Jenkins ($40k), GitLab CE ($40k)
The rules of the competition say that submitted exploits should result in complete compromise of the target. Wiz explains that this means “a full Container/VM Escape for the Virtualization category, and a 0-click Remote Code Execution (RCE) vulnerability for other targets.”
The organizers also provide the conditions for each target, as well as the instructions and technical resources (Docker container with target on default configuration) security researchers can use to test their exploits.
Researchers who register through the HackerOne platform and complete their ID verification and Tax Forms by November 20, are free to submit exploits for as many targets as they like, but they are limited to only one entry per target.
Submitters of approved exploits will be invited to demonstrate them live during the event, either alone or in a team of up to five members.
People residing in embargoed or sanctioned countries such as Russia, China, Iran, North Korea, Cuba, Sudan, Syria, Libya, Lebanon, and also the regions of Crimea and Donetsk, are restricted from participating in the Zeroday Cloud contest.
The complete rules for the zeroday.cloud hacking competition are available here.
The announcement for the event, however, did not resonate well with the organizers of the Pwn2Own hacking competitions that have been going with great success for several years.
In a public post, Trend Micro called out Wiz for copying the rules for Pwn2Own Ireland. Juan Pablo Castro, Director of Cybersecurity Strategy & Technology at Trend Micro, said that Gemini’s output when comparing the rules for the two events were a “word-for-word” copy.
Wiz responded with a defusing statement, admitting that the Pwn2Own rulebook was “a trusted, mature framework by which we were inspired.”
Join the Breach and Attack Simulation Summit and experience the future of security validation. Hear from top experts and see how AI-powered BAS is transforming breach and attack simulation.
Don’t miss the event that will shape the future of your security strategy
Source link
