Google Online Security Blog: Expanding our exploit reward program to Chrome and Cloud

By admin
In

2020
DATE

, we launched a novel format for our vulnerability reward program (

VRP
ORG

) with the kCTF

VRP
ORG

and its continuation kernelCTF. For the

first
ORDINAL

time, security researchers could get bounties for

n-day
DATE

exploits even if they didn’t find the vulnerability themselves. This format proved valuable in improving our understanding of the most widely exploited parts of the linux kernel. Its success motivated us to expand it to new areas and we’re now excited to announce that we’re extending it to

two
CARDINAL

new targets: v8CTF and

kvmCTF
PERSON

.


Today
DATE

, we’re launching v8CTF, a

CTF
ORG

focused on

V8
PRODUCT

, the

JavaScript
PRODUCT

engine that powers

Chrome
PERSON

.

kvmCTF
PERSON

is an upcoming CTF focused on

Kernel
ORG

-based

Virtual Machine
ORG

(KVM) that will be released

later in the year
DATE

.

As with kernelCTF, we will be paying bounties for successful exploits against these platforms, n-days included. This is on top of any existing rewards for the vulnerabilities themselves. For example, if you find a vulnerability in

V8
PRODUCT

and then write an exploit for it, it can be eligible under both the Chrome VRP and the v8CTF.

We’re always looking for ways to improve the security posture of our products, and we want to learn from the security community to understand how they will approach this challenge. If you’re successful, you’ll not only earn a reward, but you’ll also help us make our products more secure for everyone. This is also a good opportunity to learn about technologies and gain hands-on experience exploiting them.

Besides learning about exploitation techniques, we’ll also leverage this program to experiment with new mitigation ideas and see how they perform against real-world exploits. For mitigations, it’s crucial to assess their effectiveness early on in the process, and you can help us battle test them.

How do I participate?


First
ORDINAL

, make sure to check out the rules for v8CTF or

kvmCTF
PERSON

. This page contains up-to-date information about the types of exploits that are eligible for rewards, as well as the limits and restrictions that apply.

Once you have identified a vulnerability present in our deployed version, exploit it, and grab the flag. It doesn’t even have to be an

0-day
DATE

!

Send us the flag by filling out the form linked in the rules and we’ll take it from there.

We’re looking forward to seeing what you can find!