Google has launched kvmCTF, a new vulnerability reward program (VRP) first announced in October 2023 to improve the security of the Kernel-based Virtual Machine (KVM) hypervisor that comes with $250,000 bounties for full VM escape exploits.

KVM, an open-source hypervisor with over 17 years of development, is a crucial component in consumer and enterprise settings, powering Android and Google Cloud platforms.

An active and key KVM contributor, Google developed kvmCTF as a collaborative platform to help identify and fix vulnerabilities, bolstering this vital security layer.

Like Google’s kernelCTF vulnerability reward program, which targets Linux kernel security flaws, kvmCTF focuses on VM-reachable bugs in the Kernel-based Virtual Machine (KVM) hypervisor.

The goal is to execute successful guest-to-host attacks, and QEMU or host-to-KVM vulnerabilities will not be awarded.

Security researchers who enroll in the program are provided with a controlled lab environment where they can use exploits to capture flags. However, unlike other vulnerability reward programs, kvmCTF focuses on zero-day vulnerabilities and will not reward exploits targeting known vulnerabilities.

The reward tiers for kvmCTF are as follows:

  • Full VM escape: $250,000
  • Arbitrary memory write: $100,000
  • Arbitrary memory read: $50,000
  • Relative memory write: $50,000
  • Denial of service: $20,000
  • Relative memory read: $10,000

The kvmCTF infrastructure is hosted on Google’s Bare Metal Solution (BMS) environment, highlighting the program’s commitment to high-security standards.

“Participants will be able to reserve time slots to access the guest VM and attempt to perform a guest-to-host attack. The goal of the attack must be to exploit a zero day vulnerability in the KVM subsystem of the host kernel,” said Google software engineer Marios Pomonis.

“If successful, the attacker will obtain a flag that proves their accomplishment in exploiting the vulnerability. The severity of the attack will determine the reward amount, which will be based on the reward tier system explained below. All reports will be thoroughly evaluated on a case-by-case basis.”

Google will receive details of discovered zero-day vulnerabilities only after upstream patches are released, ensuring the information is shared with the open-source community simultaneously.

To get started, participants must review the kvmCTF rules, which include information on reserving time slots, connecting to the guest VM, obtaining flags, mapping various KASAN violations to reward tiers, as well as detailed instructions on reporting vulnerabilities.