Google Offers $250K Bounty for KVM Hypervisor Exploits

KVM is a renowned and open-source hypervisor, not spearheaded by Google, yet it is extensively utilized in both Android and Google Cloud, making Google a significant contributor to the KVM project.

Google has now established a new reward structure for the kvmCTF bug bounty program. Researchers who successfully escape from a guest to a host environment can earn up to $250,000 for a single vulnerability.

The primary objective of kvmCTF is to uncover VM-accessible vulnerabilities within the KVM hypervisor. Google’s focus is exclusively on zero-day vulnerabilities; thus, any exploitation of existing vulnerability chains will not be rewarded.

Researchers wishing to participate in the program must register for kvmCTF and then use Google’s pre-deployed hosted environment for testing. Google allocates time for researchers to attempt to escape from the virtual machine to the host machine, targeting zero-day vulnerabilities in the KVM subsystem of the host kernel.

The rewards tiers are the following:

• Full VM escape: $250,000

• Arbitrary memory write: $100,000

• Arbitrary memory read: $50,000

• Relative memory write: $50,000

• Denial of service: $20,000

• Relative memory read: $10,000

If a researcher successfully executes an attack, they receive a token to verify the successful exploitation of the vulnerability. Google then evaluates the severity of the vulnerability and, following a thorough assessment, determines the amount of the reward to be issued to the researcher.