Google has introduced the KVMCTF initiative, offering monetary rewards to security researchers for identifying vulnerabilities in the KVM hypervisor (Kernel-Based Virtual Machine). The KVM hypervisor is used in the Google Cloud service, as well as in Android and Chromeos platforms such as croosvm, which is founded on kvm. To be eligible for the reward, researchers must hack into a specially prepared CTF (Capture The Flag) environment based on a fresh Linux kernel that operates a virtual machine and access the applications within.
Researchers are tasked with exploiting vulnerabilities in the KVM Linux kernel subsystem, crucial for the host system’s operation within the environment. A payment of $250,000 is offered for identifying a previously unknown vulnerability that allows for an escape from the virtual machine. For vulnerabilities that permit writing to an arbitrary memory location, the reward is $100,000. Additionally, $50,000 is allotted for vulnerabilities that enable reading from or writing to memory, $20,000 for DOS vulnerabilities, and $10,000 for relative memory read vulnerabilities.