Google has launched a new bug bounty program that promises juicy rewards.
The new kvmCFTa vulnerability reward program (VRP) for the Kernel-based Virtual Machine (KVM) hypervisor, first announced in October 2023.
Kernel-based Virtual Machine (KVM) is a virtualization module in the Linux kernel that allows the kernel to function as a hypervisor. It provides the infrastructure to manage and run multiple virtual machines (VMs) on a single physical host, and each VM can run its own instance of an operating system, which can be different from the host operating system.
Full VM escape yields the most
The module has been developed in open source form for more than 15 years and is a key part of Android and Google Cloud, the company said.
“We designed kvmCTF as a way to collaboratively find solutions and fix vulnerabilities, and to further harden this fundamental security boundary,” Google said in the blog post.
The bug bounty program focuses on zero-day vulnerabilities, meaning that Google will not pay for n-day bugs. However, the company will make varying payments depending on the severity of the discovered vulnerability.
A full VM escape earns you $250,000. A random memory write earns you $100,000, a random memory read earns you $50,000, a relative memory write earns you $50,000, a denial-of-service earns you $20,000, and a relative memory read earns you $10,000.
For the experiments, Google prepared a bare metal host running a single guest VM. Participants reserve a time slot to access the guest VM and attempt to launch an attack. The goal is to exploit a zero-day in the KVM subsystem or the host kernel.
Details of zero-day flaws will be shared with Google after the release of an upstream patch, so that Google receives them at the same time as the rest of the open source community. Those interested in participating in the bounty hunting program can find more information here.