Google has launched kvmCTF, a groundbreaking vulnerability reward program aimed at fortifying the security of the Kernel-based Virtual Machine (KVM) hypervisor. Announced in October 2023, kvmCTF offers substantial bounties of up to $250,000 for full VM escape exploits, underscoring its focus on zero-day vulnerabilities and rigorous evaluation standards. Designed to engage cybersecurity professionals, ethical hackers, and researchers, kvmCTF invites participants to test the limits of KVM security within a controlled environment hosted on Google’s Bare Metal Solution (BMS).

Reward Tiers:

• Full VM escape: $250,000
• Arbitrary memory write: $100,000
• Arbitrary memory read: $50,000
• Relative memory write: $50,000
• Denial of service: $20,000
• Relative memory read: $10,000

Google software engineer Marios Pomonis highlights the program’s objective: “Participants will be able to reserve time slots to access the guest VM and attempt to perform a guest-to-host attack. The goal of the attack must be to exploit a zero-day vulnerability in the KVM subsystem of the host kernel.”

The program outlines various reward tiers, including $100,000 for arbitrary memory writes and $20,000 for denial-of-service attacks, providing incentives for uncovering critical vulnerabilities. Participants are tasked with executing guest-to-host attacks, with successful exploits yielding flags that validate their findings. This initiative not only aims to bolster KVM’s resilience but also promotes collaboration within the cybersecurity community by ensuring that discovered vulnerabilities are shared responsibly after upstream patches are implemented.

“For those keen on contributing to virtualization security,” Pomonis adds, “kvmCTF sets clear guidelines for accessing guest VMs, mapping KASAN violations to reward tiers, and reporting vulnerabilities. By fostering a transparent and structured approach, Google encourages ethical disclosures and contributes to the ongoing enhancement of KVM’s security landscape.”