Google now pays $250,000 for KVM zero-day vulnerabilities



Google has launched kvmCTF, a brand new vulnerability reward program (VRP) first introduced in October 2023 to enhance the safety of the Kernel-based Digital Machine (KVM) hypervisor that comes with $250,000 bounties for full VM escape exploits.

KVM, an open-source hypervisor with over 17 years of growth, is an important part in client and enterprise settings, powering Android and Google Cloud platforms.

An lively and key KVM contributor, Google developed kvmCTF as a collaborative platform to assist establish and repair vulnerabilities, bolstering this very important safety layer.

Like Google’s kernelCTF vulnerability reward program, which targets Linux kernel safety flaws, kvmCTF focuses on VM-reachable bugs within the Kernel-based Digital Machine (KVM) hypervisor.

The purpose is to execute profitable guest-to-host assaults, and QEMU or host-to-KVM vulnerabilities is not going to be awarded.

Safety researchers who enroll in this system are supplied with a managed lab surroundings the place they’ll use exploits to seize flags. Nonetheless, not like different vulnerability reward packages, kvmCTF focuses on zero-day vulnerabilities and won’t reward exploits concentrating on recognized vulnerabilities.

The reward tiers for kvmCTF are as follows:

  • Full VM escape: $250,000
  • Arbitrary reminiscence write: $100,000
  • Arbitrary reminiscence learn: $50,000
  • Relative reminiscence write: $50,000
  • Denial of service: $20,000
  • Relative reminiscence learn: $10,000

The kvmCTF infrastructure is hosted on Google’s Naked Metallic Resolution (BMS) surroundings, highlighting this system’s dedication to high-security requirements.

“Individuals will be capable to reserve time slots to entry the visitor VM and try to carry out a guest-to-host assault. The purpose of the assault have to be to take advantage of a zero day vulnerability within the KVM subsystem of the host kernel,” stated Google software program engineer Marios Pomonis.

“If profitable, the attacker will get hold of a flag that proves their accomplishment in exploiting the vulnerability. The severity of the assault will decide the reward quantity, which will probably be primarily based on the reward tier system defined beneath. All experiences will probably be completely evaluated on a case-by-case foundation.”

Google will obtain particulars of found zero-day vulnerabilities solely after upstream patches are launched, guaranteeing the data is shared with the open-source group concurrently.

To get began, contributors should evaluate the kvmCTF guidelines, which embody data on reserving time slots, connecting to the visitor VM, acquiring flags, mapping numerous KASAN violations to reward tiers, in addition to detailed directions on reporting vulnerabilities.