Google Expands Vulnerability Reward Program to Chrome and Cloud

Estimated read time 3 min read


Are you a security researcher looking for a new challenge? Google has just expanded its Vulnerability Reward Program (VRP) to include two new targets1: v8CTF and kvmCTF. This move aims to fortify the security of Google’s products and offers researchers lucrative bounties.

Key PointsDetails
Initial LaunchNovel VRP format started with kCTF VRP in 2020
New Additionsv8CTF and kvmCTF
BountiesFor successful exploits, including n-days
GoalImprove product security and learn from the community
Real-World TestingExperimenting with new mitigations
ParticipationCheck rules, exploit vulnerability, submit flag
Key Points

A Revolutionary Step in 2020

Google initially launched its novel VRP format with kCTF VRP and its successor, kernelCTF, back in 2020. For the first time, security researchers could earn bounties for n-day exploits, even if they weren’t the ones to discover the vulnerability2. This approach significantly improved Google’s understanding of the most exploited parts of the Linux kernel.

New Targets: v8CTF and kvmCTF

The success of the initial program has led to its extension. The newly launched v8CTF focuses on V8, the JavaScript engine that powers Chrome. Meanwhile, kvmCTF, which will focus on Kernel-based Virtual Machines (KVM), is set to launch later this year.

Bounty Details

Just like with kernelCTF, Google will offer bounties for successful exploits against these new platforms, including n-days. This comes in addition to any existing rewards for discovering the vulnerabilities. For instance, if you find a flaw in V8 and create an exploit, you could be eligible for rewards under both the Chrome VRP and v8CTF.

The Ultimate Goal

Google aims to learn from the security community’s approach to these challenges. Successful participants will not only earn a reward but also contribute to making Google’s products more secure. This program also provides an excellent opportunity for hands-on experience and learning.

Real-World Testing of Mitigations

Google will use this program to test new mitigation strategies and assess their effectiveness against real-world exploits. Participants can contribute significantly to this battle testing.

How to Participate

For those interested in taking part, the rules for v8CTF and kvmCTF are available online. After identifying a vulnerability in the deployed version and exploiting it to capture the flag, participants can submit their findings through a form linked in the rules.


Google’s expansion of its Vulnerability Reward Program marks a significant step forward in collaborative cybersecurity. By adding v8CTF and kvmCTF, the tech giant is not only offering new challenges for security researchers but also working to make its products more secure for everyone.

  1. ↩︎
  2. ↩︎
Reza Rafati

Reza Rafati, based in the Netherlands, is the founder of An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author

+ There are no comments

Add yours