Google has launched the kvmCTF bug bounty program with the primary objective of identifying and addressing vulnerabilities within the Kernel-based Virtual Machine (KVM) hypervisor. Named after Capture The Flag (CTF) events, kvmCTF allows participants to reserve time slots to access a guest VM hosted in a controlled lab environment. Their task is to attempt a guest-to-host attack, aiming to uncover critical security flaws such as virtual machine escapes, arbitrary code execution vulnerabilities, information disclosure issues, and denial-of-service (DoS) bugs.
The program focuses on enhancing the security of KVM, a crucial component widely used in consumer and enterprise solutions, including Google Cloud and Android platforms. By incentivizing security researchers and ethical hackers with substantial rewards, Google aims to bolster the resilience of virtualization technologies against potential exploits.
Google’s blog post emphasizes that successful exploits yielding a zero-day vulnerability in the KVM subsystem of the host kernel will earn participants a flag, demonstrating their achievement. The highest bounty of $250,000 is reserved for discovering a full VM escape, while other impactful discoveries such as arbitrary memory write exploits can fetch up to $100,000. Rewards scale down to $50,000 for arbitrary memory read or relative memory write exploits, up to $20,000 for DoS attacks, and up to $10,000 for relative memory read flaws.
By engaging the global security community through kvmCTF, Google seeks to proactively identify and mitigate potential security risks, ensuring robust protection for virtualized environments essential to modern computing infrastructures.
