Article Details
Scrape Timestamp (UTC): 2024-07-02 18:09:31.630
Original Article Text
Click to Toggle View
Google now pays $250,000 for KVM zero-day vulnerabilities. Google has launched kvmCTF, a new vulnerability reward program (VRP) first announced in October 2023 to improve the security of the Kernel-based Virtual Machine (KVM) hypervisor that comes with $250,000 bounties for full VM escape exploits. KVM, an open-source hypervisor with over 17 years of development, is a crucial component in consumer and enterprise settings, powering Android and Google Cloud platforms. An active and key KVM contributor, Google developed kvmCTF as a collaborative platform to help identify and fix vulnerabilities, bolstering this vital security layer. Like Google's kernelCTF vulnerability reward program, which targets Linux kernel security flaws, kvmCTF focuses on VM-reachable bugs in the Kernel-based Virtual Machine (KVM) hypervisor. The goal is to execute successful guest-to-host attacks, and QEMU or host-to-KVM vulnerabilities will not be awarded. Security researchers who enroll in the program are provided with a controlled lab environment where they can use exploits to capture flags. However, unlike other vulnerability reward programs, kvmCTF focuses on zero-day vulnerabilities and will not reward exploits targeting known vulnerabilities. The reward tiers for kvmCTF are as follows: The kvmCTF infrastructure is hosted on Google's Bare Metal Solution (BMS) environment, highlighting the program's commitment to high-security standards. "Participants will be able to reserve time slots to access the guest VM and attempt to perform a guest-to-host attack. The goal of the attack must be to exploit a zero day vulnerability in the KVM subsystem of the host kernel," said Google software engineer Marios Pomonis. "If successful, the attacker will obtain a flag that proves their accomplishment in exploiting the vulnerability. The severity of the attack will determine the reward amount, which will be based on the reward tier system explained below. All reports will be thoroughly evaluated on a case-by-case basis." Google will receive details of discovered zero-day vulnerabilities only after upstream patches are released, ensuring the information is shared with the open-source community simultaneously. To get started, participants must review the kvmCTF rules, which include information on reserving time slots, connecting to the guest VM, obtaining flags, mapping various KASAN violations to reward tiers, as well as detailed instructions on reporting vulnerabilities.
Daily Brief Summary
Google has introduced kvmCTF, a new vulnerability reward program emphasizing security improvements in the Kernel-based Virtual Machine (KVM) hypervisor, with rewards up to $250,000 for uncovering zero-day vulnerabilities.
The initiative, first announced in October 2023, is designed for developing robust security safeguards, particularly for systems powering Android and Google Cloud platforms where KVM plays a critical role.
The focus of kvmCTF is on VM-reachable bugs that enable successful guest-to-host attacks; other vulnerabilities like QEMU or host-to-KVM will not qualify for rewards.
Participants in kvmCTF will operate within a controlled Google's Bare Metal Solution (BMS) environment, which is set up to facilitate and secure testing processes.
Unlike other programs, kvmCTF specifically targets zero-day vulnerabilities, providing high rewards for newly discovered and previously unreported vulnerabilities instead of known issues.
Successful exploits leading to guest-to-host system breaches will be rewarded based on severity, with a structured reward tier system guiding the potential bounty amounts.
Submitted zero-day flaws will be shared with the open-source community only after the relevant patches have been released, ensuring responsible vulnerability disclosure and enhancing overall community security.