December 10-11 in London at the Black Hat Europe conference will be the first time conducted competitions zeroday cloud , aimed at identifying vulnerabilities in open software used in cloud environment. The prize pool of the competition is determined at $ 4.5 million. The largest bonus, the size of 300 thousand dollars, is appointed for hacking Nginx. Prizes, the size of 100 thousand dollars, are assigned for hacking Apache Tomcat, Redis, PostgreSQL and Mariadb.
To receive premiums, participants must demonstrate working exploits in which previously unknown vulnerabilities (0-day) are used. In the “Virtualization” category, exploites should allow you to go beyond the isolated container or virtual machine, and in other categories to lead to remote execution of your code. Settings of hackled applications are posted on Github.
The following categories, applications for attack and rewards:
- Containers and virtualization:
- doCker ($ 40,000 for a container prepared by the attacking image and $ 60,000 when attacking any image),
- Containerd ($ 40,000/$ 60 000),
- Linux core from Ubuntu ($ 30,000).
- web servers:
- nginx ($ 300,000),
- apache tomcat ($ 100,000),
- envoy ($ 50,000),
- caddy ($ 50,000).
- DBMS:
- redis ($ 25,000 for RCE with authenticated access, $ 100,000 – with non -utterated),
- postgreSQL ($ 20,000/$ 100,000),
- mariadb ($ 20,000/$ 100,000).
- ai:
- ollama ($ 25,000),
- vllm ($ 25,000),
- nvidia container toolkit ($ 40,000 for a way out of the container).
- kubernetes and cloud-native:
- kubernetes api Server ($ 40,000),
- kubelet server ($ 80,000),
- grafana ($ 10,000 for RCE for an authenticated entrance and $ 40,000 for RCE without authentication),
- prometheus ($ 40,000),
- Fluent Bit ($ 10,000).
- Automation tools and Devops:
- apache airflow ($ 40,000),
- jenkins ($ 40,000),
- gitlab ce ($ 40,000).