Not a single entry for Google's Android bug bounty

Google's Project Zero security team has not received a single valid submission in its US$350,000 (A$458,000) bug bounty prize for zero-day flaws.

The six-month submission period for Google's Project Zero has now ended, and the security team said "everything we received was either spam, or did not remotely resemble a contest entry as described in the rules".

The high stakes prize asked researchers to compete to find any existing vulnerability or bug chain that would allow remote code execution to be carried out on multiple Android devices, knowing only the devices’ phone number and email address.

But not a single entry came forward, prompting the Project Zero team to hypothesise that maybe the US$200,000 first prize simply wasn't big enough to make such a disclosure worthwhile.

"It’s difficult to determine the right prize amount for this type of contest, and the fact that we did not receive any entries suggests that the prize amount might have been too low considering the type of bugs required to win this contest," Project Zero's Natalie Silvanovich wrote.

After a period of soul searching, the Project Zero team said it's also possible the specific type of vulnerability it asked for was too difficult to find, or maybe it didn't give researchers a long enough period to work within.

It also thinks researchers may have opted to enter other bug competitions with a lower threshold for entry instead.

"Overall, this contest was a learning experience, and we hope to put what we’ve learned to use in Google’s rewards programs and future contests," Silvanovich said.

When Google announced the competition back in September, it said it hoped to intercept any remote code execution flaws before they could impact Android users.

"Contests often lead to types of bugs that are less commonly reported getting fixed, so we’re hoping this contest leads to at least a few bugs being fixed in Android."