Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

Unnamed Firm Offers $250,000 for VM Hacks

An unnamed company is prepared to offer up to $250,000 for virtual machine (VM) hacks as part of a “secret” bug bounty program, crowdsourced security testing platform Bugcrowd announced this week.

An unnamed company is prepared to offer up to $250,000 for virtual machine (VM) hacks as part of a “secret” bug bounty program, crowdsourced security testing platform Bugcrowd announced this week.

The program, which Bugcrowd has described as a hybrid approach, is invitation-only, but anyone can apply for an invite. White hat hackers who believe they have the necessary skills can send a submission and they will be contacted if they have been selected.

While the name of the company running this initiative has not been disclosed, Bugcrowd has revealed that the target is an unreleased product.

The ideal applicant for this program is someone skilled in the areas of virtualization, kernel and device driver security, firmware security, and advanced application security.

Focus areas include guest VM breakout, code execution outside the guest VM, privilege escalation within the guest via the underlying platform, flaws that could result in data leakage (e.g. memory corruption, cross-guest VM issues), and disruption of service to other customers (excluding DoS attacks).

Finding these types of security issues can earn participants between $5,000 and $250,000. The hackers who submit one of the best five reports describing their efforts, attempts, ideas for potential compromise, and other relevant information will be rewarded $10,000.

The bug bounty program will run for a period of roughly 8 weeks, between early September and late October.

It’s not uncommon for companies to pay out significant rewards for VM hacks. Last year, researchers earned $150,000 at a hacking competition in South Korea for finding serious vulnerabilities in VMware Workstation and Fusion.

Advertisement. Scroll to continue reading.

At ZDI’s Pwn2Own contest, Tencent Security’s Team Sniper earned $100,000 for a VMware Workstation exploit that could be used to escape VMs.

Microsoft also announced recently that it’s prepared to pay up to $250,000 for critical vulnerabilities found in its Hyper-V hypervisor on Windows 10.

Related: Atlassian Launches Public Bug Bounty Program

Related: Centrify Launches Bug Bounty Program

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Shane Barney has been appointed CISO of password management and PAM solutions provider Keeper Security.

Edge Delta has appointed Joan Pepin as its Chief Information Security Officer.

Vats Srivatsan has been appointed interim CEO of WatchGuard after Prakash Panjwani stepped down.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.