The Wiz Research team is proud to launch zeroday.cloud, a first-of-its-kind cloud hacking competition with a prize pool totaling up to about $4.5 million in bounties, making zeroday.cloud one of the largest cloud hacking events ever held.

Cloud and AI now power critical systems around the world, from hospitals and banks to governments and entire economies. These cloud platforms are built on top of many open-source projects, like database engines and virtualization technologies. As we’ve demonstrated in some of our recent work, a single vulnerability in such projects can affect the entire cloud ecosystem. Despite the critical impact, some of these projects don’t have the backing of a major bug bounty program to incentivize top-tier security researchers. Until now. 

zeroday.cloud is a natural extension of our mission at Wiz Research: uncover emerging threats in cloud infrastructure, share our findings, and help vendors patch vulnerabilities quickly. This is a space that needs greater visibility and collaboration, so we’re inviting the broader security community to join us and accelerate the future of cloud and AI security together.

About zeroday.cloud

zeroday.cloud is where responsible researchers can dissect the software powering the cloud, identify critical zero-days, and help fix them in partnership with vendors.

We’re incredibly grateful to AWS, Microsoft, and Google Cloud for partnering with Wiz Research to make zeroday.cloud possible. Their support shows a shared industry commitment to advancing cloud security for everyone.

The competition will take place at Black Hat Europe in London, December 10 and 11. 

Researchers can compete across six categories:

• AI: Ollama, vLLM, NVIDIA Container Toolkit (Container Escape)

• Kubernetes and Cloud-Native: Kubernetes API Server, Kubelet Server, Grafana, Prometheus, Fluent Bit

• Containers and Virtualization: Docker, Containerd, Linux Kernel (Ubuntu)

• Web Servers: nginx, Apache Tomcat, Envoy, Caddy

• Databases: Redis, PostgreSQL, MariaDB

• DevOps & Automation: Apache Airflow, Jenkins, GitLab CE

Submitted exploits should result in total compromise of the target, meaning a full Container/VM Escape for the Virtualization category, and a 0-click Remote Code Execution (RCE) vulnerability for other targets.

Contestants may submit exploits for different targets. Submissions will be demonstrated live by the contestant, on stage in London, and judged by Wiz Research together with some of our CSP partners. Winning submissions will win a generous cash prize, as detailed on zeroday.cloud.

Join us

Cloud and AI are reshaping the world. It’s up to us to secure them together.

If you’re ready to test your skills, make a difference, and help shape the future of cloud security, visit zeroday.cloud to register your exploit and learn more. And for any questions that aren’t answered in our Contest Rules or FAQ on zeroday.cloud, please contact us at zerodaycloud@wiz.io.

We’ll see you in London!