The competition opened on October 6, 2023, and is accessible to any exploit writers. “Once you have identified a vulnerability present in our deployed version, exploit it, and grab the flag,” Google software engineers Stephen Roettger and Marios Pomonis noted in a public statement.
Contestants can either try to find known vulnerabilities (n-days) or discover new ones (zero-days or 0-days), but their exploits must be “reasonably stable,” which the company described as having a runtime of less than five minutes and at least 80% success rate.
“If the bug that led to the initial memory corruption was found by you, i.e. reported from the same email address as used in the v8CTF submission, we will consider the exploit a 0-day submission. All other exploits are considered n-day submissions,” Google explained.
Valid submissions will get a reward of $10,000.
The v8CTF challenge is set to complement Google’s Chrome Vulnerability Reward Program (VRP), meaning that exploit writers who discover a zero-day exploit are eligible for an additional reward of up to $180,000.