Google has unveiled a new bug bounty program to bolster the security of the Kernel-based Virtual Machine (KVM) hypervisor, offering rewards of up to $250,000 for critical vulnerabilities. The program, kvmCTF, invites security researchers to probe for weaknesses in this widely used open-source technology that underpins platforms like Android and Google Cloud.
According to the announcement, kvmCTF focuses exclusively on identifying zero-day vulnerabilities in KVM. Google provides specialized lab environments for participants to test their exploits. The company emphasizes that this initiative is designed to foster collaboration within the open-source community and enhance the security of a fundamental component in many computing systems.
The reward structure is tiered based on the severity of the discovered vulnerabilities. Researchers who achieve a full virtual machine escape could earn the top prize of $250,000. Other significant rewards include $100,000 for arbitrary memory write capabilities and $50,000 for arbitrary memory read exploits. The program also offers smaller bounties for less severe issues, such as relative memory access vulnerabilities and denial of service attacks.
To participate, security experts must reserve time slots to access the test environment, which consists of a bare metal host running a single guest virtual machine. Successful exploits are verified through a capture-the-flag mechanism, where participants must obtain specific flags as proof of their accomplishments.
Google has implemented a two-stage submission process to protect the details of zero-day vulnerabilities. Initially, researchers submit only a flag and a hash of their exploit code. Once the vulnerability is reported to the Linux kernel security team and a patch is released, participants can then disclose full details of their findings.
The kvmCTF program utilizes Google’s Bare Metal Solution (BMS) environment to host its infrastructure, providing a realistic testing ground for potential exploits. Participants have the option to work with hosts that have kernel address sanitizer (KASAN) enabled, which can help in identifying certain types of memory-related vulnerabilities.
By launching this program, Google aims to harden KVM against potential attacks and contribute to the overall security of the open-source ecosystem. The high bounties on offer reflect the critical nature of hypervisor security in today’s computing landscape, where virtualization plays a key role in cloud computing, mobile devices, and enterprise environments.
Security researchers interested in participating can find detailed rules and submission guidelines on the program’s GitHub page. Google has also set up a Discord channel for questions and community discussions related to kvmCTF.
