Google now pays $250k for KVM zero-day vulnerabilities
Google launches kvmCTF, a $250,000 reward program for KVM hypervisor exploits. Researchers target zero-day vulnerabilities in KVM crucial for Android and Google Cloud platforms. Program hosted on Google's secure Bare Metal Solution.
Read original article
Google has introduced a new vulnerability reward program called kvmCTF, offering $250,000 bounties for full VM escape exploits in the Kernel-based Virtual Machine (KVM) hypervisor. KVM is crucial for Android and Google Cloud platforms and has over 17 years of development. The program aims to identify and fix vulnerabilities in this security layer, focusing on zero-day vulnerabilities. Researchers can earn rewards for various exploit levels, with the highest being full VM escape. The program provides a controlled lab environment for researchers to attempt attacks and capture flags. Google emphasizes high-security standards by hosting kvmCTF on its Bare Metal Solution (BMS) environment. Participants must follow program rules, reserve time slots, and report vulnerabilities following detailed instructions. Google will only receive details of zero-day vulnerabilities after patches are released to ensure simultaneous sharing with the open-source community.
Related
Vulnerability in Popular PC and Server Firmware
Eclypsium found a critical vulnerability (CVE-2024-0762) in Intel Core processors' Phoenix SecureCore UEFI firmware, potentially enabling privilege escalation and persistent attacks. Lenovo issued BIOS updates, emphasizing the significance of supply chain security.
BeyondCorp (2014)
Google's BeyondCorp approach rethinks enterprise security by moving away from traditional perimeter security to enhance protection in the changing tech environment. Visit the link for more details on this innovative strategy.
I found a 1-click exploit in South Korea's biggest mobile chat app
A critical exploit in KakaoTalk allows attackers to run JavaScript in a WebView, potentially compromising user accounts by stealing access tokens. The exploit highlights the need to address security vulnerabilities in messaging apps.
The Windows Registry Adventure #3: Learning Resources
The Project Zero team at Google, led by Mateusz Jurczyk, stresses the importance of information gathering in vulnerability research, focusing on closed-source systems like the Windows registry. Various resources aid understanding and efficiency.
CVE-2021-4440: A Linux CNA Case Study
The Linux CNA mishandled CVE-2021-4440 in the 5.10 LTS kernel, causing information leakage and KASLR defeats. The issue affected Debian Bullseye and SUSE's 5.3.18 kernel, resolved in version 5.10.218.
3 comments- find vuln (0day to you)
- sell sploit on black market (0day for black market
- months later, confirm if vulnerability has not been patched
- if not patched, submit bug report and claim as new 0-day. “0day” for company. But it’s really been in the wild for 180-days
- google sends $250K check but “researcher” also received $750K on the black market
In addition to double dipping, can these high bounties also act as a way for employees to pad their salaries?
- “accidentally” introduce bug in patch. Very easy to do an “xz/jia tan” like attack. Maybe slip it in a massive change request
- let buddy know this vulnerability exists. Then have them claim the bounty.
- months later have accomplice send cryto/nft/cash
Probably can’t do this too often though.
* I am not an American, just a wild guess.
Related
Vulnerability in Popular PC and Server Firmware
Eclypsium found a critical vulnerability (CVE-2024-0762) in Intel Core processors' Phoenix SecureCore UEFI firmware, potentially enabling privilege escalation and persistent attacks. Lenovo issued BIOS updates, emphasizing the significance of supply chain security.
BeyondCorp (2014)
Google's BeyondCorp approach rethinks enterprise security by moving away from traditional perimeter security to enhance protection in the changing tech environment. Visit the link for more details on this innovative strategy.
I found a 1-click exploit in South Korea's biggest mobile chat app
A critical exploit in KakaoTalk allows attackers to run JavaScript in a WebView, potentially compromising user accounts by stealing access tokens. The exploit highlights the need to address security vulnerabilities in messaging apps.
The Windows Registry Adventure #3: Learning Resources
The Project Zero team at Google, led by Mateusz Jurczyk, stresses the importance of information gathering in vulnerability research, focusing on closed-source systems like the Windows registry. Various resources aid understanding and efficiency.
CVE-2021-4440: A Linux CNA Case Study
The Linux CNA mishandled CVE-2021-4440 in the 5.10 LTS kernel, causing information leakage and KASLR defeats. The issue affected Debian Bullseye and SUSE's 5.3.18 kernel, resolved in version 5.10.218.