![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3ErqT18hTeNfP6wPJbKGUSbA61kBIOSVOX7D-W2oUIVMv9HGnrpLkCMmvtzzmByS2_u-k_RH3tX_rVRnGPDALU6xQGeCFamt9V1CkVpxrByvvzqYliM8rBXfPGpHj5hETfql7iWyRhd4CSE4tfUzrj6FiuK-xO9IrekFTjTJuGuY-z2ZUScTU635oI0w/s1600/Google%20to%20offer%20%20250,000%20for%20Full%20VM%20Escape%20Zero-day%20Vulnerability%20(1)%20(1).webp)
Google has recently introduced a new vulnerability reward program called kvmCTF, explicitly focusing on the Kernel-based Virtual Machine (KVM) hypervisor. This program, announced back in October 2023, highlights Google’s dedication to improving the security of foundational technologies like Linux and KVM, which are crucial components in many of its products such as Android and Google Cloud.
The KVM hypervisor has a strong reputation with over 15 years of open-source development and is widely utilized across both consumer and enterprise environments. Google, known for its active contribution to the KVM project, has developed kvmCTF as a collaborative platform for identifying and addressing vulnerabilities to strengthen this essential security boundary.
Drawing similarities to the existing kernelCTF program, kvmCTF specifically zeroes in on zero-day vulnerabilities and previously undiscovered security flaws. Participants in kvmCTF are provided access to a designated lab environment where they can log in and apply their exploits to capture flags.
To maintain the program’s focus on uncovering new, unpatched vulnerabilities, kvmCTF does not reward exploits that leverage n-day vulnerabilities. Details about any zero-day vulnerabilities discovered will only be shared with Google once an upstream patch is rolled out, ensuring that Google and the broader open-source community receive the information simultaneously.
The kvmCTF program offers significant rewards based on the severity of identified vulnerabilities. Reward tiers include $250,000 for a Full VM escape, $100,000 for Arbitrary memory write, $50,000 for Arbitrary memory read, $50,000 for Relative memory write, $20,000 for Denial of service, and $10,000 for Relative memory read. The program also provides the option of using a host with Kernel Address Sanitizer (KASAN) enabled to assist in identifying memory errors leading to these vulnerabilities.
Participants engage in a controlled environment where a bare metal host runs a single guest VM. They can reserve time slots to access the guest VM and conduct guest-to-host attacks, aiming to exploit zero-day vulnerabilities within the KVM subsystem of the host kernel. Successful attackers will be awarded a flag as proof of their accomplishment, with the reward amount determined by the severity of the attack.
Individuals interested in participating in kvmCTF must review the program’s rules, which outline the process of reserving a time slot, connecting to the guest VM, obtaining flags, and reporting vulnerabilities. Google’s kvmCTF initiative marks a significant advancement in the collaborative effort to secure open-source technologies.
By offering substantial rewards for discovering zero-day vulnerabilities, Google hopes to engage the global security community in enhancing the security and reliability of the KVM hypervisor, ultimately benefiting users worldwide. This initiative underscores Google’s commitment to cybersecurity and underscores the importance of vulnerability research in safeguarding critical technologies.