Raspberry Pi Doubles the RP2350 Security Bug Bounty Prize to $20,000, Extends the Deadline

Raspberry Pi remains as confident as ever in the security features added to its second-generation RP2350 microcontroller — so much so, in fact, that a month after opening a contest to see if anyone could hack it the deadline is being extended and the prize pot doubled to $20,000.

"No one has managed to break the security on our new chip yet," boasts Raspberry Pi's Chris Boross in an update to a competition launched at the DEF CON 32 conference last month. "The challenge was only due to run until September, but we’ve decided to goad the bounty hunters by doubling the prize money and extending the deadline to the end of the year. If you think you can hack it, be our guest."

Raspberry Pi announced the competition at DEF CON 32, initially focused on those who had received the event's official badge — the first hardware to hit the streets based on the RP2350, a quad-core dual-architecture design that pairs Arm Cortex-M33 cores with free and open source Hazard3 RISC-V cores. It's not the processor cores that are the focus of the contest, though, but Raspberry Pi's implementation of Arm's TrustZone and its associated functionality — security features added to the RP2350 missing from its predecessor the RP2040.

Shortly after the event, the contest was opened to all: flash your DEF CON 32 badge or Raspberry Pi Pico 2 with a custom firmware that irreversibly sets one-time programmable (OTP) bits and see if you can capture a 128-bit flag embedded within, protected by the new secure boot functionality. Those who could retrieve the flag stood to win $10,000 — a figure the company has now doubled to $20,000, having had not successes during the competition's original month-long run.

The extension to the competition comes amid rumblings of the impact associated with a hardware fault dubbed erratum RP2350-E9, in which a flaw blamed on third-party IP from an unnamed vendor causes general-purpose input/output (GPIO) pins to latch at around 2.15V under conditions that Raspberry Pi says are more specific than reports from those building around its parts would suggest. Were a contest entrant able to successfully defeat the RP2350's new security features, it would likely result in a respin and the release of a new variant on a fixed stepping — something the company has suggested it is unwilling to do for the E9 flaw, which is presently dealt with in documentation alone.

Anyone looking to try their hand at the RP2350 bug bounty can find details on how to enter on the official GitHub repository.