Full Report
Wiz and the leading CSPs are launching one of the largest hacking competitions ever to secure the open-source software powering the cloud ecosystem
Analysis Summary
# Industry News: Wiz Launches Record-Breaking Cloud & AI Hacking Competition
## Summary
Wiz Research has launched "zeroday.cloud," a first-of-its-kind, large-scale hacking competition focusing on critical open-source software that underpins cloud and AI infrastructure, backed by a prize pool of up to $4.5 million. This initiative is supported by major Cloud Service Providers (CSPs) like AWS, Microsoft, and Google Cloud, highlighting a shared industry commitment to proactively addressing systemic security vulnerabilities in the foundational layers of cloud technology.
## Key Details
- Date: Announced September 30, 2025 (Event scheduled for December 10-11, 2025)
- Companies Involved: Wiz, AWS, Microsoft, Google Cloud
- Category: Industry Initiative/Research Collaboration
## The Story
Wiz Research is spearheading the zeroday.cloud competition to incentivize security researchers to find and responsibly disclose zero-day vulnerabilities in pivotal open-source components used across cloud environments. The competition targets core technologies in AI (Ollama, vLLM), Kubernetes, containerization (Docker, Linux Kernel), databases (Redis, PostgreSQL), and DevOps tooling (Jenkins, GitLab). Qualifying exploits require total system compromise, such as Container/VM Escape or 0-click RCE, underscoring the high-stakes nature of the targets. The scale of the bounty pool reflects the perceived risk associated with vulnerabilities in this shared cloud operating layer.
## Business Impact
### For the Companies Involved
- **Wiz:** Deepens its reputation as a leader in cutting-edge cloud security research, reinforces strategic partnerships with CSPs, and gains early insight into emerging threats impacting the platforms its platform secures. This activity enhances its credibility and thought leadership in the market.
- **CSPs (AWS, Microsoft, Google Cloud):** Demonstrate a proactive commitment to supply chain security for cloud-native infrastructure, bolstering customer trust in the underlying platform security managed by the providers.
### For Competitors
- Competitors focused solely on vulnerability scanning or compliance may be disadvantaged if they cannot demonstrate equivalent proactive, deep-level research capabilities or strong CSP engagement. This sets a new industry standard for collaborative vulnerability sourcing outside of traditional vendor bug bounties.
### For Customers
- Provides a direct long-term benefit by accelerating the discovery and patching of deep, foundational vulnerabilities that could affect countless cloud deployments. This reduces systemic supply chain risk for customers relying on these open-source projects.
### For the Market
- Formalizes and elevates the practice of seeking out zero-days in cloud infrastructure components outside of established vendor programs. The substantial prize pool signals that systemic cloud component security is a top-tier concern for major market players.
## Technical Implications
The direct focus areas—AI inference tooling (Ollama, vLLM), Kubernetes API components, and core virtualization stacks—reveal where industry research focus is shifting. The requirement for full compromise (RCE/Escape) means that successful submissions will likely represent critical, highly impactful vulnerabilities transferable across various cloud environments.
## Strategic Analysis
- **Market Positioning:** Wiz positions itself as the central orchestrator between cutting-edge threat research and major infrastructure vendors, elevating its status beyond a pure Cloud Native Application Protection Platform (CNAPP) vendor to a key security influencer.
- **Competitive Advantage:** By co-sponsoring this event with CSPs, Wiz gains implicit endorsement and deep alignment with the providers securing the cloud ecosystems, a significant differentiator.
- **Challenges:** Managing the responsible disclosure process for numerous complex vulnerabilities under rapid timelines, ensuring high-quality participation, and managing community expectations regarding the disbursement of large bounties.
## Industry Reactions
- **Analyst Opinions:** Analysts are likely to view this as a necessary and positive move, addressing security blind spots in essential open-source building blocks that traditional vendor programs often fail to cover adequately.
- **Expert Commentary:** Security experts will praise the collaboration between Wiz and the CSPs, seeing it as a necessary step to scale vulnerability disclosure for infrastructure components where security funding has historically lagged.
- **Market Response:** Increased focus on supply chain security tooling and vulnerability disclosure platforms that cater specifically to cloud infrastructure.
## Future Outlook
- This event is likely to become an annual fixture, expanding its scope to cover newer technologies as the cloud evolves (e.g., serverless runtimes, specialized hardware acceleration).
- Expect significant reporting on the types of vulnerabilities found (e.g., memory corruption in containers, logic flaws in orchestration) following the December event.
## For Security Professionals
Security engineers and developers should pay close attention to the technical findings released post-event. These zero-days, once patched, will inform immediate hardening priorities for cloud-native deployments, especially those leveraging the targeted AI, K8s components, and database engines.