Google announced the launch of the new Bug Bounty program called KVMCTF. The program, first introduced in October 2023, aims to enhance the security of the hypervisor kernel-based machine (KVM) and offers rewards up to $250,000 for full exploits that enable breaking out of the virtual machine.
KVM is an open hypervisor with a development history spanning over 17 years. It plays a pivotal role in both consumer and enterprise environments, supporting platforms like Android and Google Cloud.
Similar to the Kernelctf program, which focuses on identifying Linux kernel vulnerabilities, KVMCTF is dedicated to identifying vulnerabilities in the KVM hypervisor accessible from a virtual machine. The primary objective is to execute successful attacks from a guest to the host system, with no rewards for QMU vulnerabilities or KVM host vulnerabilities.
Participants in the program are provided with a controlled lab environment where they can utilize exploits to capture flags. KVMCTF concentrates on zero-day vulnerabilities and does not reward exploits targeted at well-known vulnerabilities.
The KVMCTF infrastructure is integrated with Google Bare Metal Solution, emphasizing the program’s compliance with high security standards. It offers rewards for identifying vulnerabilities of varying severity levels, including arbitrary code execution and virtual machine escape.
The reward levels are as follows:
- Full escape outside the virtual machine: $250,000;
- Arbitrary writing in memory: $100,000;
- Arbitrary reading from memory: $50,000;
- Relative writing in memory: $50,000;
- Denial-of-service: $20,000;
- Relative reading from memory: $10,000.
Google specifies that participants can reserve temporary slots to access the guest virtual machine and attempt to breach the guest system to the host system. The objective should be exploiting zero-day vulnerabilities within the KVM kernel of the Khost.
If the attack is successful, the attacker will receive a flag confirming their exploit accomplishment. The reward amount will be determined based on the severity of the attack and will correspond