Want to Make a Quick $250k? Find a KVM Vulnerability for Google

Google has announced a new bounty program targeted at Kernel-based Virtual Machine (KVM) open-source software that's used in some of its products, including Android and Google Cloud.

Google needs to find vulnerabilities in these critical components before any attackers do, and vulnerabilities in the KVM supervisor need to be fixed.

"kvmCTF is a vulnerability reward program designed to help identify and address vulnerabilities in the Kernel-based Virtual Machine (KVM) hypervisor," Google explained.

"It offers a lab environment where participants can log in and utilize their exploits to obtain flags. Significantly, in kvmCTF the focus is on zero day vulnerabilities and as a result, we will not be rewarding exploits that use n-days vulnerabilities."

Google wants researchers to exploit a zero-day vulnerability in the host kernel's KVM subsystem, and the severity of the exploit will determine the reward.

The reward tiers are the following:

"kvmCTF uses the Google Bare Metal Solution (BMS) environment to host its infrastructure. Finally, given how critical a hypervisor is to overall system security, kvmCTF will reward various levels of vulnerabilities up to and including code execution and VM escape," Google said.

Of course, any vulnerability identified through this new bounty program will be shared with Google after an upstream patch has been released. This will ensure that all parties, including Google and the rest of the open-source community, will receive the patch at the same time.

This new bounty program is very similar to kCTF from 2023 (targeting the Linux kernel). One of the vulnerabilities found with that program's help netted the researchers $1 million. The entire kCTF awarded almost $2 million to all participants.