Google unveils major new bug bounty program to help boost security across the board

google office
(Image credit: Shutterstock / Sundry Photography)

Google has launched a new bug bounty program that promises some juicy rewards.

The new kvmCFT, a vulnerability reward program (VRP) for the Kernel-based Virtual Machine (KVM) hypervisor it first announced in October 2023.

Kernel-based Virtual Machine (KVM) is a virtualization module in the Linux kernel that allows the kernel to function as a hypervisor. It provides the infrastructure to manage and run multiple virtual machines (VMs) on a single physical host, and each VM can run its own instance of an operating system, which can differ from the host OS.

Full VM escape pays most

The module has been in open-source development for more than 15 years, and is a major part of Android and Google Cloud, the company said. 

“We designed kvmCTF as a collaborative way to help identify & remediate vulnerabilities and further harden this fundamental security boundary,” Google said in the blog post.

In the bug bounty program, the focus will be on zero-day vulnerabilities, which means that Google will not be paying out for n-day flaws. However, the company will be making varying payments, depending on the severity of the discovered vulnerability. 

Full VM escape will earn you $250,000. Arbitrary memory write $100,000, arbitrary memory read $50,000, relative memory write $50,000, denial of service $20,000, and relative memory read $10,000.

For the experiments, Google prepared a bare metal host running a single guest VM. Participants will reserve a time slot to access the guest VM and try to perform an attack. The goal is to exploit a zero-day in either the KVM subsystem, or the host kernel. 

Details on zero day flaws will be shared with Google after the release of an upstream patch, making sure Google gets them at the same time as the rest of the open-source community. Those interested in participating in the bounty hunting program can find more information here.  

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.