Google has introduced the enlargement of its vulnerability rewards program with two occasions targeted on Chrome’s V8 JavaScript rendering engine and on Kernel-based Digital Machine (KVM).
The v8CTF, which has already began, permits security researchers to earn financial rewards for efficiently exploiting a V8 model operating on Google’s infrastructure.
The problem is supposed to enrich Google’s VRP, permitting researchers who establish vulnerabilities within the JavaScript engine to earn further rewards by submitting exploits to the v8CTF. Nevertheless, collaborating researchers may also submit exploits for already recognized V8 vulnerabilities.
“If the bug that led to the preliminary reminiscence corruption was discovered by you, i.e. reported from the identical electronic mail handle as used within the v8CTF submission, we are going to take into account the exploit a 0-day submission. All different exploits are thought-about n-day submissions,” Google explains.
Researchers who establish a brand new vulnerability are inspired to report it first to the Chrome VRP. Subsequent, they’ll use the exploit within the v8CTF, to exfiltrate the flag from Google’s infrastructure.
In keeping with this system’s guidelines, security researchers submitting legitimate exploits are eligible for a reward of $10,000.
“That is on high of any present rewards for the vulnerabilities themselves. For instance, when you discover a vulnerability in V8 after which write an exploit for it, it may be eligible beneath each the Chrome VRP and the v8CTF,” Google explains.
Set to be launched later this 12 months, kvmCTF will reward researchers for exploits focusing on zero-day and one-day vulnerabilities in KVM, the open-source virtualization module within the Linux kernel that permits it to perform as a hypervisor.
The occasion will deal with the LTS kernel and can reward profitable guest-to-host assaults. QEMU exploits or vulnerabilities aren’t inside the occasion’s scope for now.
Google guarantees rewards of as much as $99,999 for exploits resulting in a full VM escape, however it would additionally reward arbitrary reminiscence write/learn ($34,999 and $24,999, respectively) and denial-of-service (DoS) exploits ($14,999).
“Notice that the above rewards don’t stack. For instance when you submit a full VM escape exploit that makes use of an arbitrary reminiscence write, you can be compensated with the reward for the VM escape ($99,999) and never with two separate rewards ($99,999 + $34,999),” Google explains.
Safety researchers concerned about collaborating are inspired to learn the principles for v8CTF and kvmCTF, exploit an recognized vulnerability to seize the flag, and ship the flag to Google, as specified within the guidelines.
“When you’re profitable, you’ll not solely earn a reward, however you’ll additionally assist us make our merchandise safer for everybody. That is additionally a superb alternative to find out about applied sciences and acquire hands-on expertise exploiting them,” Google notes.
