Google launched a new bug bounty program called kvmCTF to enhance the security of its Kernel-based Virtual Machine (KVM) hypervisor. This program offers up to $250,000 as a reward to security researchers who successfully achieve a full virtual machine (VM) escape exploit.
KVM, an open-source hypervisor, is important in consumer and enterprise settings. It has been developed for over 17 years and is used in Android and Google Cloud platform.
By infosecbulletin
/ Monday , November 11 2024
On November 7, 2024, CISA released advisories about 3 critical security issues, vulnerabilities, and exploits related to Industrial Control Systems...
Read More
By infosecbulletin
/ Monday , November 11 2024
A cyberattack on an Israeli clearing company on Sunday left some people unable to use their credit cards for shopping...
Read More
By infosecbulletin
/ Monday , November 11 2024
Russia's media censor, Roskomnadzor, has blocked thousands of local websites using Cloudflare's encryption feature that enhances online privacy and security....
Read More
By infosecbulletin
/ Sunday , November 10 2024
Advertisement for selling the credentials of allegedly belonging to Indian government emails surfaced on the dark web marketplace. A hacker...
Read More
By infosecbulletin
/ Saturday , November 9 2024
Bangladesh faced a 105% rise in cyber incidents from the second to the third quarter of 2024, making it one...
Read More
By infosecbulletin
/ Friday , November 8 2024
The Socket Research Team has discovered a malicious package named "fabrice," pretending to be the legitimate fabric SSH automation library....
Read More
By infosecbulletin
/ Friday , November 8 2024
CISA has added a patched critical security flaw in Palo Alto Networks Expedition to its Known Exploited Vulnerabilities catalog due...
Read More
By infosecbulletin
/ Thursday , November 7 2024
Cisco has fixed a critical vulnerability, CVE-2024-20418, that allowed unauthenticated remote attackers to gain root access on Ultra-Reliable Wireless Backhaul...
Read More
By infosecbulletin
/ Wednesday , November 6 2024
In late October 2024, Cleafy’s Threat Intelligence team noticed a surge in a new Android malware known as TgToxic. However,...
Read More
By infosecbulletin
/ Wednesday , November 6 2024
Cyber Threat Intelligence Unit of BGD e-GOV CIRT found evidence of compromise linked to the vulnerability in F5 BIG-IP systems...
Read More
The reward tiers are the following:
Relative memory read: $10,000
Denial of service: $20,000
Arbitrary memory read: $50,000
Relative memory write: $50,000
Arbitrary memory write: $100,000
Full VM escape: $250,000
Like Google’s kernelCTF vulnerability reward program, which targets Linux kernel security flaws, kvmCTF focuses on VM-reachable bugs in the Kernel-based Virtual Machine (KVM) hypervisor.
The objective is to carry out successful attacks from a guest to a host. No rewards will be given for vulnerabilities in QEMU or from the host to KVM.
Researchers in the program can use exploits to capture flags in a controlled lab environment. The focus is on zero-day vulnerabilities, not known ones. The kvmCTF runs on Google’s Bare Metal Solution (BMS) for top security.
“Participants will be able to reserve time slots to access the guest VM and attempt to perform a guest-to-host attack. The goal of the attack must be to exploit a zero day vulnerability in the KVM subsystem of the host kernel,” said Google software engineer Marios Pomonis.
“If successful, the attacker will obtain a flag that proves their accomplishment in exploiting the vulnerability. The severity of the attack will determine the reward amount, which will be based on the reward tier system explained below. All reports will be thoroughly evaluated on a case-by-case basis.”