Google has just launched a bug bounty contest with a maximum reward of $250,000. The contest aims to find flaws in the open source hypervisor KVM (Kernel-based Virtual Machine). However, security researchers can get this much money for a successful guest-to-host attack.
Pour stimulate the discovery of flawsGoogle has created a reward program. First place can earn $250,000. This competition is organized like a capture the flag. Participants log in as guests and search for zero-day vulnerabilities in KVM.
KVM, a collaborative project
KVM is an open source project supported by Google. Since 2007 it has been included in Linux. KVM allows Intel and AMD processors to run multiple virtual machines. This hardware emulation is customizable for different operating systems. Google uses KVM to Android et Google Cloud to emphasize its importance to them.
Announced last October, the kvmCTF competition officially started on June 27th. Participants first have to reserve time slots in UTC. They connect to the guest VM on a bare metal host. Then, they attempt a guest-to-host attack.
The objective is to find a zero-day vulnerability in the KVM subsystem of the host kernel. Exploits in the QEMU emulator or via host-to-KVM techniques are not eligible. The contest rules explain the process from uploading files to providing proof of exploitation.
Awards and categories
The Google Security blog published the rewards for this bug bounty on June 27. Prices vary depending on the severity of the exploited vulnerability..
A complete escape of the virtual machine is worth $250,000. An arbitrary memory write is worth $100,000. An arbitrary memory read and a relative memory write are each worth $50,000. A denial of service is worth $20,000 while a relative memory read is worth $10,000.
Rewards are not cumulative.. As a result, ethical hackers only receive the final reward, without any intermediate steps. The first successful submission is the only winner. As of today, organizers have not received any submissions, according to the kvmCTF Discord channel.
In short, Google is showing its commitment to secure its technologies With this competition, Google hopes to attract security researchers by offering substantial rewards. This bug bounty program could strengthen the security of KVM. This will benefit a large user community and secure platforms using KVM.
Share the article:
Facebook
LinkedIn
Our blog is reader-powered. When you buy through links on our site, we may earn an affiliate commission.
