Google has significantly amplified its efforts to bolster the security of the Kernel-based Virtual Machine (KVM) hypervisor by offering a staggering $250,000 bounty for critical vulnerabilities. This marks a substantial increase from previous rewards.

KVM, a widely used open-source hypervisor, plays a pivotal role in virtualizing systems across consumer electronics and enterprise environments. It’s a cornerstone of Google Cloud Platform and Android. Recognizing its significance, Google launched the kvmCTF program – a collaborative platform aimed at identifying and patching KVM vulnerabilities.

The program functions similarly to a capture-the-flag (CTF) competition. Participants vie for rewards by exploiting vulnerabilities within a controlled lab environment. The highest payout of $250,000 goes to whoever achieves a full VM escape, granting unauthorized access to the underlying system. Lesser rewards are available for achieving various exploit milestones.

The reward tiers for kvmCTF are as follows:

Buy Me A Coffee
  • Full VM escape: $250,000
  • Arbitrary memory write: $100,000
  • Arbitrary memory read: $50,000
  • Relative memory write: $50,000
  • Denial of service: $20,000
  • Relative memory read: $10,000

The kvmCTF infrastructure is hosted on Google’s Bare Metal Solution (BMS) environment, highlighting the program’s commitment to high-security standards.

“Participants will be able to reserve time slots to access the guest VM and attempt to perform a guest-to-host attack. The goal of the attack must be to exploit a zero day vulnerability in the KVM subsystem of the host kernel,” said Google software engineer Marios Pomonis.

“If successful, the attacker will obtain a flag that proves their accomplishment in exploiting the vulnerability. The severity of the attack will determine the reward amount, which will be based on the reward tier system explained below. All reports will be thoroughly evaluated on a case-by-case basis.”

Google Fi Introduces "Number Lock" Feature to Combat SIM Swapping Attacks

Google will receive details of discovered zero-day vulnerabilities only after upstream patches are released, ensuring the information is shared with the open-source community simultaneously.