Upcoming Virtual Event: Cloud Security Summit | July 17 - Register Now
Connect with us

Hi, what are you looking for?



Google Offering $250,000 for Full VM Escape in New KVM Bug Bounty Program

Google has announced a new KVM bug bounty program named kvmCTF with rewards of up to $250,000 for a full VM escape.


Google has announced a new bug bounty program with significant rewards for vulnerabilities found in the Kernel-based Virtual Machine (KVM) hypervisor.

The goal of the new program, named kvmCTF, is to help find and address vulnerabilities in the KVM hypervisor.

The bug bounty program works like a CTF event, with participants being able to reserve time slots to access a guest VM hosted in a lab environment, and attempt to conduct a guest-to-host attack. 

Google is hoping the project will help in identifying virtual machine escapes, arbitrary code execution flaws, information disclosure issues, and denial-of-service (DoS) bugs.  

“The goal of the attack must be to exploit a zero day vulnerability in the KVM subsystem of the host kernel. If successful, the attacker will obtain a flag that proves their accomplishment in exploiting the vulnerability,” Google explained in a blog post.

[ Read: Hacker Conversations: Natalie Silvanovich From Google’s Project Zero ]

The highest reward, $250,000, can be earned for a full VM escape. Participants can earn $100,000 for an arbitrary memory write exploit, and $50,000 for an arbitrary memory read or a relative memory write exploit. DoS attacks can earn up to $20,000 and relative memory read flaws up to $10,000.

KVM is widely used in both consumer and enterprise solutions, including by the Android and Google Cloud platforms, which is why the internet giant wants to enhance the hypervisor’s security.

Advertisement. Scroll to continue reading.

Interested hackers can read the complete rules for kvmCTF on GitHub. 

Related: Google Boosts Bug Bounty Payouts Tenfold in Mobile App Security Push

Related: Google Expands Bug Bounty Program With Chrome, Cloud CTF Events

Related: Google Announces Bug Bounty Program and Other Initiatives to Secure AI

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

ICS and OT cybersecurity solutions provider TXOne Networks appoints Stephen Driggers as its new CRO.

Identity orchestration provider Strata Identity has appointed Aldo Pietropaolo as Field CTO.

Cybersecurity provider for the aviation industry Cyviation has appointed Eliran Almog as Chief Executive Officer.

More People On The Move

Expert Insights