The competition commenced on October 6, 2023, and is accessible to all exploit developers. “Should you identify a vulnerability in our version, exploit it and seize the flag,” advise Google software engineers Stephen Roettger and Marios Pomonis for the foreseeable future.
Participants have the option to either hunt for known vulnerabilities (n-days) or unearth new ones (zero-days or 0-days). Nevertheless, the exploits they craft must meet a criterion of being “reasonably stable,” as defined by the company, indicating they should be executable in under five minutes with a minimum 80% success rate.
“If the bug that led to the original memory corruption was discovered by you, i.e. reported by the same email address used in the v8CTF submission, we will consider the exploit a zero-day submission. All other exploits are considered n-day submissionsGoogle explained.
For eligible submissions, a $10,000 reward will be granted. The v8CTF challenge is designed to complement Google’s Chrome Vulnerability Reward Program (VRP), implying that exploit creators who uncover a zero-day vulnerability may be eligible for an additional reward of up to $180,000.
Google has also unveiled the rules for kvmCTF, an upcoming capture-the-flag (CTF) challenge centered around the Kernel-based Virtual Machine (KVM) in Google Cloud, set to launch later this year.
In this competition, participants will be tasked with executing a successful guest-to-host attack using both 0-day and patched 1-day exploits.
Google has disclosed the following rewards:
- $99,999 for a full VM escape.
- $34,999 for exploits enabling arbitrary (host) memory write.
- $24,999 for exploits enabling arbitrary (host) memory read.
- $14,999 for a denial-of-service exploit that impacts the host computer.
Google urged researchers to share their submissions openly, fostering a collaborative environment where the community can benefit from one another’s techniques and insights.
Chrome V8 submission process
- If your exploit targets a zero-day vulnerability, please report it to the Chrome VRP first.
- Check whether there is already a submission for the currently developing V8 version.
- Exploit the bug and retrieve the flag from our v8CTF environment.
- Create a .tar.gz file of your exploit and calculate its sha256 hash.
- Complete a submission form, including the sha256 sum, the flag, and the exploit. For zero-day submissions, use the same email address as the one used to report the vulnerability.
- A Google Issue Tracker bug will be submitted on behalf of the candidates. Attach the exploit matching the sha256 sum and provide a brief write-up on the bug.
- Google will take several days to validate each submission.
Bounty programs that incentivize the discovery and exploitation of vulnerabilities in products have evolved into a crucial component within the broader IT security landscape for numerous technology enterprises.
Essentially, these companies engage developers and security experts in a quest to identify and expose any vulnerabilities within their products or services, compensating them for their diligent efforts.
These initiatives serve as more than just an appealing means of harnessing the skills of independent researchers; they also represent an efficient mechanism for identifying and rectifying potential vulnerabilities that could result in security breaches.
Submitting vulnerabilities can pave the way for more robust security solutions and enable companies to address existing issues before they become widely known to the public.