Vulnerability Management, Threat Management, Bug Bounties

Google unveils new KVM bug bounty program

binary code and magnifying glass

Google has moved to strengthen Kernel-based Virtual Machine hypervisor security with the introduction of the new kvmCTF vulnerability reward program, reports BleepingComputer.

Under the program, up to $250,000 would be given to security researchers who will be able to identify full VM escape exploits, while researchers determining arbitrary memory write flaws would be offered $100,000, according to Google, which will be providing bounties of $50,000 for the discovery of arbitrary memory read and relative memory write zero-days, as well as rewards of $20,000 and $10,000 for denial-of-service and relative memory read bugs, respectively. Guest-to-host intrusions could be attempted on the kvmCTF infrastructure upon reservation.

"The goal of the attack must be to exploit a zero-day vulnerability in the KVM subsystem of the host kernel. If successful, the attacker will obtain a flag that proves their accomplishment in exploiting the vulnerability," noted Google software engineer Marios Pomonis.

Information regarding the identified zero-days would only be provided upon the issuance of patches, said Google.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.