Google is again launching a reward programme for security bounty hunters who detect vulnerabilities. This time, the programme concerns zero-day exploits in the Kernel-based Virtual Machine (KVM) hypervisor, which Google extensively uses for Android and the Google Cloud platform. Depending on the size of the exploits found, rewards can reach up to 250,000 dollars (232,000 euros).
The just-launched vulnerability reward programme (VRP) called kvmCTF should improve the overall security of the KVM hypervisor. KVM is an open-source hypervisor that has been around for more than 17 years. It is used extensively for virtualization. Google is a major contributor to the technology, so naturally wants to keep it as secure as possible.
To do that, Google likes to use the expertise of security specialists who, for a price, look for vulnerabilities. The reward programme is somewhat similar to Google’s kernelCTF, which focuses on vulnerabilities in the Linux kernel.
Flag is worth money
Participants in kvmCTF may perform guest-to-host attacks, focusing on zero-day exploits rather than known problems. QEMU and host-to-KVM vulnerabilities are excluded from the programme. Security researchers get access to a controlled lab environment to detect vulnerabilities.
If they find one, they earn a ‘flag’ that may be convertible into cash. For example, a Relative Memory Read is worth 10,000 dollars and a Denial of Service is worth 20,000. Participants who manage to execute an Arbitrary Memory Write earn 100,000, and a full VM escape is worth a cool 250,000 dollars. The full list is available here.
Isolated environment
The kvmCTF infrastructure is hosted on Google’s Bare Metal Solution (BMS), an isolated environment designed to keep things as secure as possible. Participants need to reserve time slots to access the guest VM and attempt guest-to-host attacks, targeting zero-day vulnerabilities in the KVM subsystem of the host kernel.
Whether Google will actually pay up depends on an evaluation of the successfully exploited vulnerability. The company considers each one on a case-by-case basis. Google will only publicize details of discovered vulnerabilities after patching them.
Also read: Bug bounty in practice: the final layer of security