Google has moved to strengthen Kernel-based Virtual Machine hypervisor security with the introduction of the new kvmCTF vulnerability reward program, reports BleepingComputer.
Under the program, up to $250,000 would be given to security researchers who will be able to identify full VM escape exploits, while researchers determining arbitrary memory write flaws would be offered $100,000, according to Google, which will be providing bounties of $50,000 for the discovery of arbitrary memory read and relative memory write zero-days, as well as rewards of $20,000 and $10,000 for denial-of-service and relative memory read bugs, respectively. Guest-to-host intrusions could be attempted on the kvmCTF infrastructure upon reservation.
“The goal of the attack must be to exploit a zero-day vulnerability in the KVM subsystem of the host kernel. If successful, the attacker will obtain a flag that proves their accomplishment in exploiting the vulnerability,” noted Google software engineer Marios Pomonis.
Information regarding the identified zero-days would only be provided upon the issuance of patches, said Google.