Google: Bug bounty program for hypervisors in Android and Google Cloud
Google is launching a bug hunt for the Kernel-based Virtual Machine hypervisor. There is a prize of up to 250,000 US dollars up for vulnerabilities.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
At the end of June, Google launched a special bug bounty program to detect security vulnerabilities in the Kernel-based VIrtual Machine (KVM) hypervisor. The program has been given the name "kvmCTF".
In the announcement, Google writes that KVM is a robust open-source hypervisor that is widely used in consumer and enterprise environments - including Android and Google's cloud. Google is an active project contributor and has designed kvmCTF to help find and fix vulnerabilities in a collaborative way to harden this fundamental security hurdle.
Google provides test environments
The company provides lab environments where participants can log in and use their exploits to obtain flags (CTF: Capture the Flag). The focus of kvmCTF is on zero-day vulnerabilities, so there are no bounties for older vulnerabilities. Google intends to share detailed information about the zero-day vulnerability once a patch has been applied and published. This is to ensure that Google receives it at the same time as the rest of the open source community.
kvmCTF uses Google's Bare Metal Solution environment (BMS) to host the infrastructure. Different rewards are to be distributed for several vulnerability levels. Google lists the following levels:
- Complete breakout from VM: 250,000 US dollars
- Write any storage areas: 100,000 US dollars
- Read any memory area: 50,000 US dollars
- Writing relative memory areas (relative memory write): 50,000 US dollars
- Denial of service: 20,000 US dollars
- Reading relative memory areas (relative memory read): 10,000 US dollars
kvmCTF offers the option of using a host with activated KASAN to implement relative read and write access and parts of denial-of-service attacks. An access violation in KASAN will then earn participants the flag as proof of the gap.
Interested parties can find the specific kvmCTF rules on Github. Google's project managers are also available on Discord for questions and submissions.
For Google, the bug bounty programs are generally a complete success. In May, the company announced that the "Mobile Vulnerability Reward Program" (VRP), i.e., the bug bounty program for Android apps, had earned the reporters around 100,000 US dollars in rewards for 40 valid reports – in the first year alone. All of Google's VRPs from 2023 amounted to a total payout of ten million US dollars, which went to 632 reporters.
(dmk)