News, news analysis, and commentary on the latest trends in cybersecurity technology.

Google Opens $250K Bug Bounty Contest for VM Hypervisor

If security researchers can execute a guest-to-host attack using a zero-day vulnerability in the KVM open source hypervisor, Google will make it worth their while.

Dark Reading Staff, Dark Reading

July 1, 2024

2 Min Read
Two hands holding a white handkerchief during a capture-the-flag contest as another hand tries to grab it
Source: Marco Taliani de Marchio via Alamy Stock Photo

To encourage people to find security holes in the open source Kernel-based Virtual Machine (KVM) hypervisor, Google has launched a vulnerability reward program (VRP), where the top prize is up to a quarter of a million dollars. The VRP is set up as a capture-the-flag contest where the tester logs in as a guest and attempts to find a zero-day vulnerability in the KVM host kernel.

KVM is an open source project, to which Google is an active contributor, that has been included in mainline Linux since 2007. It allows Intel- or AMD-powered devices to run multiple virtual machines (VMs) with hardware emulation that can be customized to support multiple legacy operating systems. Google uses it in its Android and Google Cloud platforms, which is why it has a vested interest in keeping it secure.

First announced last October, the "kvmCTF" contest officially kicked off on June 27. Participants reserve time slots (in UTC format) to log into the guest VM running on a bare metal host, then attempt a guest-to-host attack.

"The goal of the attack must be to exploit a zero-day vulnerability in the KVM subsystem of the host kernel," Google's launch post for the contest stated. Toward that end, vulnerabilities starting in the QEMU emulator or that rely on host-to-KVM techniques are not covered in the contest. The full rules spell out the entire process, from how to download the necessary files to how to properly prove a successful exploit.

This list of rewards appeared on the June 27 Google Security blog entry:

  • Full VM escape: $250,000

  • Arbitrary memory write: $100,000

  • Arbitrary memory read: $50,000

  • Relative memory write: $50,000

  • Denial of service: $20,000

  • Relative memory read: $10,000

Rewards don't stack — ethical hackers only get the end-point reward, not rewards for intermediate steps as well. Also, only the first successful submission earns the reward, but as of press time, no submissions have been received, according to discussion on the kvmCTF Discord channel.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two ransomware negotiators about how they interact with cybercriminals; including how they brokered a deal to restore operations in a hospital NICU where lives were at stake; and how they helped a church, where the attackers themselves "got a little religion." Listen now!

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights