7 .. include:: contest-warning.txt
9 This FAQ is provided for reference only. For the complete official
10 contest rules, see the Terms and Conditions.
16 What is this contest about?
17 ===========================
19 We launched this contest in order to help make Native Client more
20 secure. We invite participants to discover security bugs in our
21 technology in order to compete to win cash prizes.
23 Where can I get more information on Native Client?
24 ==================================================
26 You can read our `research paper
27 <http://static.googleusercontent.com/external_content/untrusted_dlcp/research.google.com/en/us/pubs/archive/34913.pdf>`_
28 (PDF) or visit the site for the `Native Client open-source project
29 <http://code.google.com/p/nativeclient>`_.
31 What people are you looking for?
32 ================================
34 We are not looking for any particular participant profile. Everyone
35 who is eligible to participate based on the :doc:`Terms and Conditions
36 <contest-terms>` of the contest can sign up.
41 The first thing you need to do is to register. Then you and your team
42 members (if any) will receive an email from our team asking you to
43 review and accept the :doc:`Terms and Conditions
44 <contest-terms>`:doc:` of the contest <contest-terms>`. Once everyone
45 from your team has accepted the :doc:`Terms and Conditions
46 <contest-terms>` you can start submitting bugs through the Native
47 Client issue tracker. You should not submit any bugs as part of your
48 contest entries until everyone on your team has accepted the
49 :doc:`Terms and Conditions <contest-terms>`, as those bugs will not be
50 eligible for consideration in the contest.
52 What is the process of participating?
53 =====================================
55 After you register yourself or your team and every member of your team
56 has accepted the :doc:`Terms and Conditions <contest-terms>`, download
57 the latest build of Native Client, attack it, and identify security
58 exploits. Submit these bugs through our Native Client Issue Tracker as
59 quickly as you can, as you will only get credit for exploits that are
60 first reported by yourself or your team. Before the end of the
61 contest, you will need to submit a summary with the top 10 exploits
62 you identified. Our judges will review submitted summaries and will
63 select the top 5 contestants.
65 .. _contest_faq_prizes:
67 How many prizes are there? What are the prizes?
68 ===============================================
70 There are five cash prizes: The first prize is $8,192, the second
71 prize $4,096, the third prize is $2,048, the fourth prize is $1,024
72 and the fifth prize is $1,024. All amounts are in USD.
74 Can I sign up as a team? How many people can be a member of my team?
75 ====================================================================
77 You can sign up as a team. There is no limit to how many people can
78 participate in your team. However we recommend that you keep the size
79 of your team small so as to be able to better coordinate during the
82 What will I need to do to win?
83 ==============================
85 To participate, you will need to test the Native Client builds,
86 identify security exploits which affect the current Native Client
87 build at the time of submission and report them to our team. Our
88 judges will review your entry. If you are one of the top five
89 participants selected by the judges and satisfy the requirements for
90 eligibility, then you will win a cash prize. For more information on
91 how to participate and how your entry will be evaluated please review
92 our detailed :doc:`Terms and Conditions <contest-terms>`.
94 Who is going to judge these entries? Who are these people?
95 ==========================================================
97 Google has recruited a group of distinguished security experts to
98 serve as judges for this contest:
100 * Edward Felten — jury chair (Princeton)
101 * Alex Halderman (Michigan)
102 * Brad Karp (University College London)
103 * Greg Morrisett (Harvard)
104 * Niels Provos (Google)
105 * Stefan Savage (UCSD)
107 * Bennet Yee (Google)
108 * Nickolai Zeldovich (MIT)
110 Check out the :ref:`Judges info <contest_judges>` to learn more about
111 their careers and contributions to the security community.
113 When can I start submitting issues?
114 ===================================
116 You can start submitting issues after you and your team members (if
117 any) have completed the registration process and accepted the
118 :doc:`Terms and Conditions <contest-terms>`.
120 Registration does not work for me---what can I do?
121 ==================================================
123 We recommend that you post this problem at the Google Group. Once you
124 do so, a member from our team will reach out to you to try to diagnose
125 the issue. We will try to help you out; keep in mind though that we
126 can not be responsible for the inability of a participant to register.
128 I registered as a team but I want to change the team composition by adding or removing members. What should I do?
129 =================================================================================================================
131 Please reply to one of the registration email messages you received
132 (it should be sent to nacl-security-contest@google.com) and indicate
133 the changes you'd like to make. Please note that neither the team name
134 nor team membership can be changed once all members have accepted the
135 :doc:`Terms and Conditions <contest-terms>`.
137 I have a previous engagement and I cannot sign up until after the competition starts. Is this ok?
138 =================================================================================================
140 You can sign up until the last day of the contest May
141 5th, 2009. However, keep in mind that while you can submit bugs
142 through the Native Client Issue Tracker, none of these will be taken
143 into account unless you (and all your team members) have completed the
144 registration process prior to submitting any bugs.
146 My team has accepted the Terms and Conditions except for one person who is unavailable / whose email was misspelled / etc. What can I do?
147 =========================================================================================================================================
149 To make edits to your team's composition, or to update the contact
150 information of a team member, you will need to reply to one of the
151 registration emails you received (it should be sent to
152 nacl-security-contest@google.com) and indicate the changes you'd like
153 to make. Please note that this will mean that your team members will
154 receive an email notifying them of the changes in the team's
155 composition and asking them to re-accept the :doc:`Terms and
156 Conditions <contest-terms>`. All team members will need to re-accept
157 the :doc:`Terms and Conditions <contest-terms>` for the team to be
158 considered as active.
160 Can I enter multiple times?
161 ===========================
163 No, you cannot enter multiple times. If you register as an individual
164 you can not also register on a team and if you are on a team you can
165 not also be on another team.
167 Why do you need a prize recipient?
168 ==================================
170 Google will not be responsible for the division of any prize money
171 between members of a potential winning team. Instead Google will
172 deliver the prize to one member indicated by the team. The team is
173 solely responsible for managing the logistics of distributing the
174 prize among team members. This is why Google asks all participating
175 teams to identify a prize recipient.
177 We want to change the prize recipient. What can we do?
178 ======================================================
180 To make edits to the prize recipient before all team members have
181 accepted the :doc:`Terms and Conditions <contest-terms>`, you will
182 need to reply to one of the registration emails you received (it
183 should be sent to nacl-security-contest@google.com) and indicate the
184 changes you'd like to make. Please note that this will mean that your
185 team members will receive an email notifying them of the change and
186 asking them to re-accept the :doc:`Terms and Conditions
187 <contest-terms>`. All team members will need to re-accept the
188 :doc:`Terms and Conditions <contest-terms>` for the team to be
189 considered registered. After all team members have accepted the
190 :doc:`Terms and Conditions <contest-terms>`, there can be no changes
191 to the prize recipient.
193 I want to remain anonymous during the contest. Is this possible?
194 ================================================================
196 Yes. However, you will still need to provide us with your email
197 address to register. After the contest ends and if you are one of the
198 top 5 participants, to claim your prize, you and all of your team
199 members (if any) will need to submit to Google all necessary tax and
200 legal information that Google will need to comply with US and
201 international legal and tax regulations.
203 One of my professors / friends is a judge. Can I participate?
204 =============================================================
206 Yes, you can participate.
208 Can my company be registered as an entrant?
209 ===========================================
211 No, this is not possible under our :doc:`Terms and Conditions
214 I never signed up for this contest, but I got an email from you. What is this about?
215 ====================================================================================
217 You have probably received an e-mail identifying you as a member of
218 team that another person has created. In our email, we identified the
219 email address of a person who registered you as a teammate in the
220 Native Client Security Contest. If you want to participate in this
221 person's team, then accept the :doc:`Terms and Conditions
222 <contest-terms>` by clicking on the link included in the email. If you
223 do not wish to participate in the contest or you want to do so as a
224 member of a different team, then you can remove yourself from the list
225 of team members of that particular team.
227 I tried to sign up and it seems someone who wants to be a member of my team has already registered with another team. What can we do?
228 =====================================================================================================================================
230 If everyone in your potential teammate's original team (including
231 themselves) has accepted the :doc:`Terms and Conditions
232 <contest-terms>` of the contest, then unfortunately you will have to
233 look for other potential partners. Otherwise, your potential teammate
234 can remove themselves from the other team. All they will need to do is
235 to reply to one of the registration emails they received (it should
236 be sent to nacl-security-contest@google.com) and indicate the changes
237 to be made. Please note that this will mean that their team members
238 will receive an email notifying them of the changes in the team's
239 composition and asking them to re-accept the :doc:`Terms and
240 Conditions <contest-terms>`. All team members of that team will need
241 to re-accept the :doc:`Terms and Conditions <contest-terms>` for that
242 team to be considered as active.
244 I lost or never got the email asking me to confirm the Terms and Conditions. What can I do?
245 ===========================================================================================
247 Don't worry, just send us an email at nacl-security-contest@google.com
248 and we will send you the link you need.
250 One of our team members rejected the Terms and Conditions. What can we do?
251 ==========================================================================
253 Your team is now considered to be invalid. If this rejection happened
254 by accident, please restart the registration process. If it was
255 deliberate then create a new team with teammates who are willing to
256 accept the :doc:`Terms and Conditions <contest-terms>`. No one can
257 participate in the contest unless they have accepted the :doc:`Terms
258 and Conditions <contest-terms>` and no team can participate unless all
259 team members have accepted the :doc:`Terms and Conditions
262 How are you going to evaluate the submissions?
263 ==============================================
265 The judges will evaluate each Summary based on the following
266 criteria: a) Quality (Severity, Scope, Reliability and Style) and b)
267 Quantity. Please review the judging criteria in the contest
268 :doc:`Terms and Conditions <contest-terms>` for more information.
270 Can I include issues I submitted before the contest?
271 ====================================================
275 What is the difference between exploit, issue and summary?
276 ==========================================================
278 An exploit becomes an issue once you submit it through the Native
279 Client issue tracker. A summary can include multiple issues but not
282 What issues should I include in the summary?
283 ============================================
285 You should include a maximum of 10 issues that you and your team
286 members (if any) submitted to the Native Client Issue tracker. We
287 recommend that you carefully review the judging criteria in the
288 :doc:`Terms and Conditions <contest-terms>` to identify which bugs are
289 more likely to be perceived as high impact from our judges and could
290 help you win one of the five cash prizes. Do not include issues that
291 have been marked as duplicates or unverifiable, as these will not be
292 taken into account by our judges.
294 Why are you asking for the top 10 issues only?
295 ==============================================
297 We want to make sure that we use our judges' time wisely. Rather than
298 having them review hundreds of similar or small scale bugs, sometimes
299 identified with the same automatic process, we are limiting the number
300 of issues that each participant can submit in their summary.
302 My English is not great---will this count against me in the judging process?
303 ============================================================================
305 Entries in languages other than in English or entries that are deemed
306 incomprehensible by the judges will not be reviewed. We do not plan to
307 penalize summaries for spelling or grammar mistakes, but please make
308 your descriptions as clear as possible.
310 What information do I need to include in the issue submission?
311 ==============================================================
313 Please review the "Minimum requirements for issues" section of
314 contest's :doc:`Terms and Conditions <contest-terms>`. You will find a
315 list of all the information you will need to include in every
316 submitted issue. Failure to provide this information might make the
317 submitted issue invalid for the purposes of this contest.
319 How do I contest a decision that a bug is a duplicate?
320 ======================================================
322 Please highlight this in our Google Group and a member of our team
323 will get in touch with you.
325 Why is the Native Client team updating the source code during the contest?
326 ==========================================================================
328 We are updating Native Client's source code to fix bugs reported by
329 contest participants or exploits identified by our team. Our goal is
330 to protect contestants and other users of the Native Client software
331 from exploits that could damage their system. In addition, by updating
332 our builds, we will be providing you with more opportunities to find
333 new security bugs. Finally, we believe this will make the contest more
334 interesting by continuously raising the bar of bug finding.
336 I forgot to include something in the summary---what can I do?
337 =============================================================
339 If the contest has not ended, you may submit an updated summary. You
340 may not submit an updated summary once the contest has ended.
342 Someone from our team submitted a summary on behalf of our team without consulting with everyone else. How can we ensure that the judges will use the previous summary and not the last one?
343 ============================================================================================================================================================================================
345 If your team member submitted their version of the team's summary
346 before the end date of the contest, and if this is the last summary
347 that was submitted from your team, then the Judges will disregard all
348 previous versions of your summary and will only review this last
349 one. If the contest has not ended, you may resubmit a previous summary
350 to override the first.
352 Will you be evaluating each exploit separately for every one of the criteria?
353 =============================================================================
355 We will use our criteria to evaluate submitted summaries, not
358 I only found one exploit but I think it is very good. Can I still win?
359 ======================================================================
361 Yes. Quantity is only one of the criteria we use to evaluate submitted
364 How are you going to pick the winners?
365 ======================================
367 After the contest ends, all submitted Summaries will be judged by a
368 panel of at least three judges. The judges will evaluate each Summary
369 based on the following criteria: a) Quality (Severity, Scope,
370 Reliability and Style) and b) Quantity. Each panel will evaluate a
371 number of the submitted summaries and will select the highest ranking
372 Summaries to move to the next level of judging. Those top Summaries
373 will then be evaluated by all Judges using the same Criteria, and the
374 top five Summaries will be selected as potential winners. For more
375 information on the judging criteria and the judging process please
376 review the relevant section of the :doc:`Terms and Conditions
379 When and how are we going to find out the results of the contest?
380 =================================================================
382 We will contact all prospective winners at the email address provided
383 to us at the registration process. You may request a list of winners
384 after December 7th, 2009 by writing to: Native Client Security Contest
385 Google Inc. 1600 Amphitheater Parkway Mountain View, CA 94043 USA
387 What will Google do with my data?
388 =================================
390 The personal data you provided to Google during the Contest will be
391 stored and processed in the US within the context of the Contest. We
392 will maintain your data in the way described at the Google Privacy
393 Policy found at http://www.google.com/privacypolicy.html. Google may
394 use your data to verify your identity, postal address and telephone
395 number in the event you qualify for a prize. You have a right to
396 access and withdraw your personal data. To exercise this right, you
397 may write to: Native Client Security Contest, Google Inc., 1600
398 Amphitheater Parkway, Mountain View, CA 94043, USA.
400 I have more questions---where can I get a response?
401 ===================================================
403 We recommend to ask any additional questions you might have in the
404 Google Group. Members from our team will be monitoring the group and
405 will respond to your question there, to benefit other contest
408 I like this project. Are you hiring people to work on it full time?
409 ===================================================================
411 At Google we are always looking for great people. Please review our
412 current openings at www.google.com/jobs.
414 How can I get involved in this project besides the contest?
415 ===========================================================
417 Thank you for your interest in Native Client. You can help us by:
420 * Porting OS libraries
423 We would also like to see you participate in our discussion group.
425 Why is my country/province excluded from the contest?
426 =====================================================
428 While we seek to make this contest open worldwide, we cannot open it
429 to residents of Cuba, Iran, Syria, North Korea, Sudan, or Myanmar
430 (Burma) because of U.S. laws. In addition, the contest is not open to
431 residents of Brazil, Italy, or Quebec because of local
432 restrictions. For more information on eligibility, see the :doc:`Terms
433 and Conditions <contest-terms>`.