In 2020, we launched a novel format for our vulnerability reward program (VRP) with the kCTF VRP and its continuation kernelCTF. For the primary time, safety researchers might get bounties for n-day exploits even when they didn’t discover the vulnerability themselves. This format proved priceless in bettering our understanding of probably the most extensively exploited components of the linux kernel. Its success motivated us to broaden it to new areas and we’re now excited to announce that we’re extending it to 2 new targets: v8CTF and kvmCTF.

At this time, we’re launching v8CTF, a CTF targeted on V8, the JavaScript engine that powers Chrome. kvmCTF is an upcoming CTF targeted on Kernel-based Digital Machine (KVM) that can be launched later within the yr.

As with kernelCTF, we can be paying bounties for profitable exploits towards these platforms, n-days included. That is on high of any current rewards for the vulnerabilities themselves. For instance, in case you discover a vulnerability in V8 after which write an exploit for it, it may be eligible underneath each the Chrome VRP and the v8CTF.

We’re all the time in search of methods to enhance the safety posture of our merchandise, and we need to study from the safety neighborhood to know how they are going to strategy this problem. For those who’re profitable, you will not solely earn a reward, however you will additionally assist us make our merchandise safer for everybody. That is additionally an excellent alternative to study applied sciences and acquire hands-on expertise exploiting them.

Apart from studying about exploitation methods, we’ll additionally leverage this program to experiment with new mitigation concepts and see how they carry out towards real-world exploits. For mitigations, it’s essential to evaluate their effectiveness early on within the course of, and you’ll assist us battle check them.

How do I take part?

• First, make certain to take a look at the foundations for v8CTF or kvmCTF. This web page comprises up-to-date details about the sorts of exploits which might be eligible for rewards, in addition to the bounds and restrictions that apply.

• After getting recognized a vulnerability current in our deployed model, exploit it, and seize the flag. It doesn’t even should be an 0-day!

• Ship us the flag by filling out the shape linked within the guidelines and we’ll take it from there.

We’re wanting ahead to seeing what yow will discover!