In 2020, we launched a novel format for our vulnerability reward program (VRP) with the kCTF VRP and its continuation kernelCTF. For the primary time, safety researchers may get bounties for n-day exploits even when they didn’t discover the vulnerability themselves. This format proved precious in bettering our understanding of essentially the most extensively exploited elements of the linux kernel. Its success motivated us to develop it to new areas and we’re now excited to announce that we’re extending it to 2 new targets: v8CTF and kvmCTF.
Today, we’re launching v8CTF, a CTF centered on V8, the JavaScript engine that powers Chrome. kvmCTF is an upcoming CTF centered on Kernel-based Virtual Machine (KVM) that might be launched later within the 12 months.
As with kernelCTF, we might be paying bounties for profitable exploits in opposition to these platforms, n-days included. This is on prime of any current rewards for the vulnerabilities themselves. For instance, if you happen to discover a vulnerability in V8 after which write an exploit for it, it may be eligible underneath each the Chrome VRP and the v8CTF.
We’re at all times searching for methods to enhance the safety posture of our merchandise, and we wish to study from the safety neighborhood to know how they’ll method this problem. If you are profitable, you may not solely earn a reward, however you may additionally assist us make our merchandise safer for everybody. This can also be a great alternative to study applied sciences and achieve hands-on expertise exploiting them.
Besides studying about exploitation methods, we’ll additionally leverage this program to experiment with new mitigation concepts and see how they carry out in opposition to real-world exploits. For mitigations, it’s essential to evaluate their effectiveness early on within the course of, and you may assist us battle check them.
How do I take part?
-
First, be sure that to take a look at the foundations for v8CTF or kvmCTF. This web page incorporates up-to-date details about the forms of exploits which can be eligible for rewards, in addition to the bounds and restrictions that apply.
-
Once you will have recognized a vulnerability current in our deployed model, exploit it, and seize the flag. It doesn’t even must be an 0-day!
-
Send us the flag by filling out the shape linked within the guidelines and we’ll take it from there.
We’re trying ahead to seeing what you’ll find!