Google Introduces New Vulnerability Bounty Program for KVM Virtual Machine Manager with Rewards up to $250,000

KVM is a well-known and open-source virtual machine manager. While not a Google-led open-source project, KVM is extensively used in Android and Google Cloud, making Google a significant participant in the KVM project.

Google has now established a new reward scheme for the kvmCTF vulnerability bounty program. If researchers can escape from the guest machine to the host, they can earn up to $250,000 for an individual vulnerability.

The primary goal of kvmCTF is to uncover accessible vulnerabilities within the KVM virtual machine manager, focusing solely on 0days. Exploitation of any existing vulnerability chains will not be rewarded.

Reward Scheme for kvmCTF:

• Complete Virtual Machine Escape: Up to $250,000
• Arbitrary Memory Write: Up to $100,000
• Arbitrary Memory Read: Up to $50,000
• Relative Memory Write: Up to $50,000
• Denial of Service: Up to $20,000
• Relative Memory Read: Up to $10,000

Researchers who wish to participate in the program need to register for kvmCTF and then use Google's already deployed managed environment for testing. Google reserves time for researchers to attempt escaping from the virtual machine to the guest machine, targeting zero-day vulnerabilities in the host kernel's KVM subsystem.

Successful attacks will earn a token as proof of exploiting the vulnerability. Google will then assess the severity of the vulnerability and decide the amount of reward to be issued to the researcher after a thorough evaluation.