A new hacking competition called Zeroday Cloud has announced a total prize pool of $4.5 million in bug bounties for researchers who submit exploits for various open-source cloud and AI tools1. This initiative, organized by Wiz Research and backed by an unprecedented coalition of cloud rivals—AWS, Google Cloud, and Microsoft—represents a significant industry-wide effort to secure the foundational software underpinning the global digital economy8.
The competition will culminate in a live, on-stage exploit demonstration at the Black Hat Europe conference in London, with a submission deadline of December 1, 2025, and the live event scheduled for December 10-11, 20251, 8. The scope is vast, targeting critical components of the modern tech stack, from AI infrastructure and Kubernetes to web servers and databases. The bar for success is set high, requiring submissions to demonstrate a “total compromise,” such as a full Container/VM Escape or a 0-click Remote Code Execution (RCE)2, 8.
Strategic Collaboration and High-Value Targets
The collaboration between AWS, Google Cloud, and Microsoft for Zeroday Cloud is a rare show of unity in the competitive cloud market. A Google employee’s LinkedIn post explicitly confirmed the partnership, highlighting Google’s pride in this “first-of-its-kind” initiative5. This “industry-wide collaboration” is noted as a “unified commitment to strengthening digital defenses”8. The competition aims to address a specific gap in the security ecosystem by focusing on open-source software (OSS) that often “lack[s] robust incentives to attract top-tier security researchers”8.
The list of in-scope targets reflects the complex and critical attack surface of contemporary infrastructure. The bounty amounts are substantial, signaling the high value placed on vulnerabilities within these components. For instance, a critical vulnerability in the Nginx web server carries a bounty of $300,000, while the Kubernetes API Server is valued at $80,0001, 2. Other high-profile targets include AI infrastructure like Ollama and vLLM, container runtimes like Docker and Containerd, and databases such as Redis and PostgreSQL.
| Category | Target | Bounty |
|---|---|---|
| Web Servers | Nginx | $300,000 |
| Web Servers | Apache Tomcat | $100,000 |
| Kubernetes | Kubernetes API Server | $80,000 |
| AI Infrastructure | Ollama, vLLM | $25,000 – $40,000 |
| Databases | PostgreSQL, Redis | Up to $100,000 |
Controversy and Corporate Tension
The launch of Zeroday Cloud was not without controversy. Shortly after its announcement, Trend Micro’s Zero Day Initiative (ZDI), a well-established player in the bug bounty space, publicly accused Wiz of copying sections of its Pwn2Own competition rules “word-for-word”2, 4. This accusation introduces a layer of corporate tension and highlights the competitive pressures within the vulnerability research market. The dispute underscores the high stakes involved, not just for the researchers but for the organizations vying for leadership and influence in the security research community.
This controversy occurs against the backdrop of a major potential industry shift: Google’s planned $32 billion acquisition of Wiz2. If completed, this acquisition would fundamentally alter the cloud security landscape, merging Wiz’s deep cloud asset visibility with Google’s vast infrastructure. The collaboration in Zeroday Cloud, therefore, exists within a complex web of both partnership and competition among the world’s largest technology providers.
Broader Context: The Microsoft Zero Day Quest
Zeroday Cloud is not the only major hacking contest on the horizon. Microsoft has announced its own Zero Day Quest for 2026, with a separate bounty pool of $5 million3, 6. This two-phase event includes an open “Research Challenge” running from August 4 to October 4, 2025, followed by an invite-only “Live Hacking Event” at Microsoft’s Redmond campus in Spring 2026. The focus is squarely on Microsoft’s own cloud and AI portfolio, including Azure, Copilot, Dynamics 365, and identity services like Entra ID.
Microsoft is incentivizing early research with a significant +50% bounty multiplier for Critical severity vulnerabilities found during the initial Research Challenge phase3, 6. The company has a proven track record with this format; the first Zero Day Quest in 2025 resulted in $1.6 million paid to researchers6. Microsoft has also pledged to share learnings across the company and transparently issue CVEs for critical vulnerabilities found, aligning with its broader Secure Future Initiative (SFI)3.
Relevance and Implications for Security Professionals
For security teams, the outcomes of these competitions will have direct and tangible effects. The vulnerabilities discovered and subsequently patched will directly influence patch management cycles and vulnerability prioritization. The focus on open-source components is a direct response to the escalating threat of software supply chain attacks, as seen in incidents like the XZ backdoor and malware campaigns on public package repositories like PyPI and npm.
The specific targets in these competitions map directly to technologies frequently exploited in real-world attacks. The inclusion of web servers like Nginx and Apache Tomcat, identity systems like Microsoft Entra, and remote management tools like ConnectWise ScreenConnect reflects the common entry points for groups like APT29 (Midnight Blizzard) and various ransomware operations. Furthermore, the dedicated AI category underscores the industry’s urgent need to secure nascent AI pipelines and models from novel threats.
These contests also serve as a form of large-scale, crowd-sourced security auditing. The findings will pressure software vendors to adopt more rigorous secure-by-design principles and improve the transparency of their Software Bill of Materials (SBOM). For defensive teams, the research published from these events will provide critical intelligence for threat hunting and detection engineering, offering insights into emerging attack techniques against core infrastructure.
The combined ~$10 million prize pool between Zeroday Cloud and Microsoft’s Zero Day Quest represents a seismic shift in the value placed on offensive security research for core infrastructure. It highlights the existential threat that vulnerabilities in cloud and AI layers now pose to global business operations. For researchers, it is a historic financial opportunity; for organizations, the resulting patches and security advisories will shape the security posture of their cloud and AI investments for years to come.
References
- “Zeroday.Cloud Official Website,” Zeroday Cloud, 2025.
- “Zeroday Cloud hacking contest offers $4.5 million in bounties,” BleepingComputer, 2025.
- “Microsoft Zero Day Quest,” Microsoft Security Response Center, 2025.
- “ZDI Blog,” Zero Day Initiative, 2025.
- [Google Employee LinkedIn Post], LinkedIn, 2025.
- “Announcing Microsoft Zero Day Quest 2026,” Microsoft Security Response Center Blog, Jun. 2025.
- [Source 7 – Context indicates this is likely a general news article about the contest, but a specific URL was not provided in the source material].
- “Zeroday Cloud Contest Offers $4.5M in Bounties for Open-Source Cloud, AI Tools,” SecurityWeek, 2025.
