Google has launched kvmCTF, a new vulnerability reward program first announced in October 2023 to improve the security of the Kernel-based Virtual Machine hypervisor that comes with $250,000 bounties for full VM escape exploits.
KVM, an open-source hypervisor with over 17 years of development, is a crucial component in consumer and enterprise settings, powering Android and Google Cloud platforms.
An active and key KVM contributor, Google developed kvmCTF as a collaborative platform to help identify and fix vulnerabilities, bolstering this vital security layer.
Like Google's kernelCTF vulnerability reward program, which targets Linux kernel security flaws, kvmCTF focuses on VM-reachable bugs in the Kernel-based Virtual Machine hypervisor.
The goal is to execute successful guest-to-host attacks, and QEMU or host-to-KVM vulnerabilities will not be awarded.
Security researchers who enroll in the program are provided with a controlled lab environment where they can use exploits to capture flags.
Unlike other vulnerability reward programs, kvmCTF focuses on zero-day vulnerabilities and will not reward exploits targeting known vulnerabilities.
The kvmCTF infrastructure is hosted on Google's Bare Metal Solution environment, highlighting the program's commitment to high-security standards.
Google will receive details of discovered zero-day vulnerabilities only after upstream patches are released, ensuring the information is shared with the open-source community simultaneously.
To get started, participants must review the kvmCTF rules, which include information on reserving time slots, connecting to the guest VM, obtaining flags, mapping various KASAN violations to reward tiers, as well as detailed instructions on reporting vulnerabilities.
Google patches exploited Android zero-day on Pixel devices.
Google fixes fifth Chrome zero-day exploited in attacks this year.
Google Pixel 6 series phones bricked after factory reset.
Cisco warns of NX-OS zero-day exploited to deploy custom malware.
Google Chrome to let Isolated Web App access sensitive USB devices.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 02 Jul 2024 18:10:17 +0000