Google has announced a new bug bounty program with significant rewards for vulnerabilities found in the Kernel-based Virtual Machine (KVM) hypervisor.
The goal of the new program, named kvmCTF, is to help find and address vulnerabilities in the KVM hypervisor.
The bug bounty program works like a CTF event, with participants being able to reserve time slots to access a guest VM hosted in a lab environment, and attempt to conduct a guest-to-host attack.
Google is hoping the project will help in identifying virtual machine escapes, arbitrary code execution flaws, information disclosure issues, and denial-of-service (DoS) bugs.
“The goal of the attack must be to exploit a zero day vulnerability in the KVM subsystem of the host kernel. If successful, the attacker will obtain a flag that proves their accomplishment in exploiting the vulnerability,” Google explained in a blog post.
[ Read: Hacker Conversations: Natalie Silvanovich From Google’s Project Zero ]
The highest reward, $250,000, can be earned for a full VM escape. Participants can earn $100,000 for an arbitrary memory write exploit, and $50,000 for an arbitrary memory read or a relative memory write exploit. DoS attacks can earn up to $20,000 and relative memory read flaws up to $10,000.
KVM is widely used in both consumer and enterprise solutions, including by the Android and Google Cloud platforms, which is why the internet giant wants to enhance the hypervisor’s security.
Interested hackers can read the complete rules for kvmCTF on GitHub.
Related: Google Boosts Bug Bounty Payouts Tenfold in Mobile App Security Push
Related: Google Expands Bug Bounty Program With Chrome, Cloud CTF Events
Related: Google Announces Bug Bounty Program and Other Initiatives to Secure AI