A new hacking competition called Zeroday Cloud, created by the research arm of cloud security company Wiz in collaboration with Google Cloud, AWS, and Microsoft, has announced a massive prize pool of $4.5 million in bug bounties. This contest is focused on finding vulnerabilities and exploits in open-source cloud and AI tools. The event is scheduled for December 10 and 11, coinciding with the Black Hat Europe conference in London, UK.
The competition is structured into six different categories, each with a range of bug bounties from $10,000 to $300,000. These categories include AI (Ollama, Vllm, Nvidia Container Toolkit), Kubernetes and Cloud-Native (Kubernetes API Server, Kubelet Server, Grafana, Prometheus, Fluent Bit), Containers and Virtualization (Docker, Containerd, Linux Kernel), Web Servers (nginx, Apache Tomcat, Envoy, Caddy), Databases (Redis, PostgreSQL, MariaDB), and DevOps & Automation (Apache Airflow, Jenkins, GitLab CE). For an exploit to be considered valid, it must demonstrate a complete compromise of the target system, such as a “full Container/VM Escape” or a “0-click Remote Code Execution (RCE) vulnerability.”
To make the competition fair, organizers will provide participants with the necessary technical resources, including Docker containers with targets set to their default configuration, allowing researchers to test their exploits in a controlled environment. Researchers can register through the HackerOne platform and are required to complete ID verification and tax forms by November 20. Participants can submit exploits for as many targets as they wish, but only one entry is allowed per target. Successful submitters will be invited to demonstrate their exploits live during the event, either individually or in teams of up to five members. However, residents of certain sanctioned countries and regions, including Russia, China, Iran, and North Korea, are restricted from participating.
The announcement of Zeroday Cloud was met with criticism from the organizers of the long-standing Pwn2Own hacking competitions, which have been running successfully for years. Trend Micro, the company behind Pwn2Own, publicly accused Wiz of copying its rulebook. Juan Pablo Castro, Trend Micro’s Director of Cybersecurity Strategy & Technology, claimed that a comparative analysis by Gemini showed the rules for the two events were “word-for-word” copies. In response, Wiz issued a statement that admitted Pwn2Own’s rulebook was a “trusted, mature framework by which we were inspired,” attempting to de-escalate the dispute.
This event highlights the increasing importance of securing open-source software, particularly in cloud and AI environments, as well as the competitive landscape of bug bounty programs. It also underscores the ethical debates surrounding intellectual property in the cybersecurity community. While Wiz’s initiative is poised to discover and fix critical vulnerabilities, the controversy with Trend Micro raises questions about the originality and inspiration behind such large-scale competitions.
Reference:
