Google has launched kvmCTF, a brand new vulnerability reward program (VRP) first introduced in October 2023 to enhance the safety of the Kernel-based Digital Machine (KVM) hypervisor that comes with $250,000 bounties for full VM escape exploits.
KVM, an open-source hypervisor with over 17 years of improvement, is a vital part in client and enterprise settings, powering Android and Google Cloud platforms.
An energetic and key KVM contributor, Google developed kvmCTF as a collaborative platform to assist establish and repair vulnerabilities, bolstering this very important safety layer.
Like Google’s kernelCTF vulnerability reward program, which targets Linux kernel safety flaws, kvmCTF focuses on VM-reachable bugs within the Kernel-based Digital Machine (KVM) hypervisor.
The purpose is to execute profitable guest-to-host assaults, and QEMU or host-to-KVM vulnerabilities is not going to be awarded.
Safety researchers who enroll in this system are supplied with a managed lab surroundings the place they’ll use exploits to seize flags. Nonetheless, in contrast to different vulnerability reward applications, kvmCTF focuses on zero-day vulnerabilities and won’t reward exploits focusing on recognized vulnerabilities.
The reward tiers for kvmCTF are as follows:
- Full VM escape: $250,000
- Arbitrary reminiscence write: $100,000
- Arbitrary reminiscence learn: $50,000
- Relative reminiscence write: $50,000
- Denial of service: $20,000
- Relative reminiscence learn: $10,000
The kvmCTF infrastructure is hosted on Google’s Naked Steel Answer (BMS) surroundings, highlighting this system’s dedication to high-security requirements.
“Members will be capable to reserve time slots to entry the visitor VM and try to carry out a guest-to-host assault. The purpose of the assault have to be to take advantage of a zero day vulnerability within the KVM subsystem of the host kernel,” stated Google software program engineer Marios Pomonis.
“If profitable, the attacker will receive a flag that proves their accomplishment in exploiting the vulnerability. The severity of the assault will decide the reward quantity, which can be primarily based on the reward tier system defined under. All stories can be completely evaluated on a case-by-case foundation.”
Google will obtain particulars of found zero-day vulnerabilities solely after upstream patches are launched, making certain the data is shared with the open-source neighborhood concurrently.
To get began, members should evaluation the kvmCTF guidelines, which embrace info on reserving time slots, connecting to the visitor VM, acquiring flags, mapping numerous KASAN violations to reward tiers, in addition to detailed directions on reporting vulnerabilities.