Are you a security researcher looking for a new challenge? Google has just expanded its Vulnerability Reward Program (VRP) to include two new targets1: v8CTF and kvmCTF. This move aims to fortify the security of Google’s products and offers researchers lucrative bounties.
|Initial Launch||Novel VRP format started with kCTF VRP in 2020|
|New Additions||v8CTF and kvmCTF|
|Bounties||For successful exploits, including n-days|
|Goal||Improve product security and learn from the community|
|Real-World Testing||Experimenting with new mitigations|
|Participation||Check rules, exploit vulnerability, submit flag|
A Revolutionary Step in 2020
Google initially launched its novel VRP format with kCTF VRP and its successor, kernelCTF, back in 2020. For the first time, security researchers could earn bounties for n-day exploits, even if they weren’t the ones to discover the vulnerability2. This approach significantly improved Google’s understanding of the most exploited parts of the Linux kernel.
New Targets: v8CTF and kvmCTF
Just like with kernelCTF, Google will offer bounties for successful exploits against these new platforms, including n-days. This comes in addition to any existing rewards for discovering the vulnerabilities. For instance, if you find a flaw in V8 and create an exploit, you could be eligible for rewards under both the Chrome VRP and v8CTF.
The Ultimate Goal
Google aims to learn from the security community’s approach to these challenges. Successful participants will not only earn a reward but also contribute to making Google’s products more secure. This program also provides an excellent opportunity for hands-on experience and learning.
Real-World Testing of Mitigations
Google will use this program to test new mitigation strategies and assess their effectiveness against real-world exploits. Participants can contribute significantly to this battle testing.
How to Participate
For those interested in taking part, the rules for v8CTF and kvmCTF are available online. After identifying a vulnerability in the deployed version and exploiting it to capture the flag, participants can submit their findings through a form linked in the rules.
Google’s expansion of its Vulnerability Reward Program marks a significant step forward in collaborative cybersecurity. By adding v8CTF and kvmCTF, the tech giant is not only offering new challenges for security researchers but also working to make its products more secure for everyone.