Zeroday Cloud Hacking Contest: A New Era for Cloud and AI Security

Cloud security is getting a major spotlight with the launch of the Zeroday Cloud hacking contest, a competition that’s shaking up the cybersecurity scene. Organized by Wiz’s research arm and backed by cloud giants like Google Cloud, AWS, and Microsoft, this contest is set to take place at Black Hat Europe 2025 in London. With a staggering $4.5 million prize pool and six categories spanning AI tools, Kubernetes, containers, web servers, databases, and DevOps, the event is designed to attract top-tier security researchers and ethical hackers. The contest’s focus on open-source cloud and AI technologies comes at a time when high-profile breaches—like the 2024 Snowflake data leak and ongoing attacks on AI infrastructure—have made headlines, underscoring the urgent need for robust defenses. The contest’s eligibility rules, shaped by international sanctions, and its public spat with the established Pwn2Own competition add extra layers of intrigue and industry buzz. By incentivizing the discovery of critical vulnerabilities, the Zeroday Cloud contest aims to drive innovation and collaboration in cloud and AI security, setting the stage for new standards in vulnerability research (BleepingComputer, 2024).

Overview of the Zeroday Cloud Contest

Contest Structure and Categories

The Zeroday Cloud hacking contest is a newly launched competition focusing on open-source cloud and AI tools. It is organized by the research arm of the cloud security company Wiz, in collaboration with Google Cloud, AWS, and Microsoft. The event is set to take place on December 10 and 11, 2025, at the Black Hat Europe conference in London, UK. The contest is structured into six distinct categories, each targeting different aspects of cloud and AI technologies. These categories are:

1. AI Tools: This category includes targets such as Ollama and Vllm, each offering a $25,000 bounty, and the Nvidia Container Toolkit with a $40,000 bounty.
2. Kubernetes and Cloud-Native: Targets in this category include the Kubernetes API Server ($80,000), Kubelet Server ($40,000), Grafana with both authenticated ($10,000) and pre-authenticated remote code execution (RCE) ($40,000), Prometheus ($40,000), and Fluent Bit ($10,000).
3. Containers and Virtualization: This category features Docker with bounties for user-provided images ($40,000) and arbitrary images ($60,000), Containerd with similar bounties, and the Linux Kernel with a $30,000 bounty for container escape on Ubuntu.
4. Web Servers: Targets include nginx with a $300,000 bounty, Apache Tomcat ($100,000), Envoy ($50,000), and Caddy ($50,000).
5. Databases: This category offers bounties for Redis with authenticated ($25,000) and pre-authenticated RCE ($100,000), PostgreSQL with similar bounties, and MariaDB with the same structure.
6. DevOps & Automation: Targets include Apache Airflow ($40,000), Jenkins ($40,000), and GitLab CE ($40,000).

Prize Pool and Eligibility

The total prize pool for the Zeroday Cloud contest is $4.5 million, making it one of the most lucrative hacking competitions in the industry. However, participation is restricted based on geopolitical considerations. Residents of embargoed or sanctioned countries, including Russia, China, Iran, North Korea, Cuba, Sudan, Syria, Libya, Lebanon, and the regions of Crimea and Donetsk, are prohibited from participating. This restriction aligns with international sanctions and embargoes, ensuring compliance with global regulations.

Controversy and Industry Reactions

The announcement of the Zeroday Cloud contest sparked controversy within the cybersecurity community. The organizers of the well-established Pwn2Own hacking competitions, run by Trend Micro, publicly criticized Wiz for allegedly copying the rules from Pwn2Own Ireland. According to Juan Pablo Castro, Director of Cybersecurity Strategy & Technology at Trend Micro, a comparison of the rules for the two events revealed a “word-for-word” duplication. In response, Wiz issued a statement acknowledging that the Pwn2Own rulebook served as an inspiration, describing it as a “trusted, mature framework.”

Strategic Partnerships and Industry Impact

The collaboration between Wiz and major cloud providers like Google Cloud, AWS, and Microsoft highlights the strategic importance of the Zeroday Cloud contest. By partnering with these industry giants, Wiz aims to leverage their expertise and resources to enhance the contest’s credibility and reach. This partnership also underscores the growing importance of securing cloud and AI technologies, as these platforms become increasingly integral to modern business operations.

The contest is expected to have a significant impact on the cybersecurity landscape by encouraging researchers to focus on vulnerabilities in cloud and AI systems. By offering substantial bounties, the contest incentivizes researchers to discover and report critical vulnerabilities, ultimately contributing to the security and resilience of these technologies.

Future Prospects and Potential Developments

Looking ahead, the Zeroday Cloud contest could set a precedent for future hacking competitions by emphasizing cloud and AI security. As these technologies continue to evolve, the need for robust security measures will become even more critical. The contest’s focus on open-source tools also highlights the importance of community-driven security efforts, as open-source projects often rely on contributions from a diverse range of developers and researchers.

In the future, we may see similar contests emerge, further expanding the scope of security research and fostering collaboration between industry leaders and the cybersecurity community. The Zeroday Cloud contest could also inspire new approaches to vulnerability disclosure and reward structures, as organizations seek to balance the need for security with the incentives for researchers.

By addressing these emerging challenges, the Zeroday Cloud contest has the potential to drive innovation and improve security practices across the industry, ultimately benefiting both organizations and end-users.

Final Thoughts

The Zeroday Cloud hacking contest is more than just a competition—it’s a catalyst for change in how the industry approaches cloud and AI security. By offering record-breaking bounties and targeting open-source technologies, the contest encourages researchers to focus on the very platforms that power today’s digital world. The involvement of major cloud providers and the contest’s high-profile controversies highlight both the stakes and the collaborative spirit needed to tackle emerging threats. As cloud and AI technologies continue to evolve, initiatives like this will be crucial in surfacing vulnerabilities before malicious actors can exploit them. The Zeroday Cloud contest could well inspire a new generation of security research, reward structures, and industry partnerships, ultimately making the cloud a safer place for everyone (BleepingComputer, 2024).

References

• Zeroday Cloud hacking contest offers $4.5 million in bounties. (2024). BleepingComputer. https://www.bleepingcomputer.com/news/security/zeroday-cloud-hacking-contest-offers-45-million-in-bounties/