At the end of June, Google launched a special bug bounty program to find security gaps in the kernel-based virtual machine (KVM) hypervisor. The program was named “kvmCTF”.
Advertisement
In Google writes announcementKVM is a robust, open source hypervisor widely used in consumer and enterprise environments – including Android and Google’s cloud. Google is an active project contributor and designed kvmCTF to help find and fix vulnerabilities in a collaborative way and thus harden this fundamental security barrier.
Google provides testing environment
The company provides lab environments where participants can log in and use their exploits to obtain flags (CTF: Capture the Flag). The focus of KvmCTF is on zero-day vulnerabilities, so there is no success bonus for older vulnerabilities. Google wants to share detailed information about zero-day vulnerabilities once patches are added and published. This is to ensure that Google receives them at the same time as the rest of the open source community.
kvmCTF uses Google’s Bare Metal Solution environment (BMS) to host the infrastructure. Different rewards must be distributed for several vulnerability levels. Google lists the following levels:
- Full breakout from VM: $250,000
- Write arbitrary memory area: $100,000
- Read arbitrary memory area: $50,000
- Relative memory write: $50,000
- Denial of service: $20,000
- Read relative memory: $10,000
To implement relative read and write access as well as parts of denial-of-service attacks, kvmCTF offers the option of using a host with KASAN active. After an access violation in KASAN participants receive a flag as proof of the breach.
Those who are interested can find specific kvmCTF rule set on Github.from project supervisors Google is also on Discord Available for questions and presentations.
For Google, bug bounty programs are usually a complete success. In May, the company announced that its bug bounty program for Android apps, the Mobile Vulnerability Reward Program (VRP), had earned journalists nearly $100,000 in rewards for 40 valid reports — in the first year of the term alone. All of Google’s 2023 VRPs totaled $10 million distributed to 632 filers.
(DMK)
