In an effort to improve the security of its Kernel-based Virtual Machine (KVM) hypervisor, Google is offering security researchers the chance to claim cash rewards for discovering bugs and vulnerabilities.
Google’s Bug Bounty Program uses ethical hacking in a controlled environment to give experts a chance to find and exploit a zero-day vulnerability in the KVM hypervisor. The program prioritizes finding virtual machine escapes, denial-of-service bugs, information leaks, and arbitrary code execution flaws.
The Need to Secure KVM
KVM is used by both consumers and businesses, as it’s a critical component of both the Google and Android cloud systems. It also allows virtual machines to run operating systems differently from the host operating system.
The KVM launched in October 2023 after more than 15 years of development. The vulnerability reward program is a tool to ensure the utmost security.
Bug Bounty Program Details
Security researchers must make a reservation for a time slot during which they will attempt to launch an attack on the KVM and identify zero-day exploits. Participants work within a guest VM in a lab environment and try to launch a guest to host an attack.
Depending on their success in this endeavor and the severity of the issue discovered, Google offers significant bug bounty rewards of up to a quarter million dollars.
Ethical hackers who achieve a complete VM escape can earn $250,000. Discovering an arbitrary memory write will earn $100,000, while an arbitrary memory read or a relative memory write garners $50,000. Hackers who find a denial of service can receive a $20,000 payment, and relative memory readers earn a $10,000 fee.
Google will only pay for zero-day exploits, not n-day discoveries. Suppose a participant is the first to uncover a vulnerability in the KVM subsystem or host kernel. In that case, they obtain a flag that proves the accomplishment.
How Google Will Respond to Security Issues
Security vulnerabilities uncovered via Google’s Bug Bounty Program will receive upstream patches to address the concerns and improve KVM’s security. Google will receive details of these flaws simultaneously with the rest of the open-source community, so everyone has the same information to work with. The company also asks researchers to publish their submissions and results to help educate the community.
The Vulnerability Reward Program is an ongoing initiative that fosters collaboration between the company and the global security community. In 2023, the program paid bug hunters over $10 million for their work on addressing vulnerabilities in the company’s products and services. Ultimately, the results ensure a safer and more secure online landscape for all users.
Researchers who wish to participate in Google’s Bug Bounty program can find the rules and request a time slot via the company’s security blog.