We launched an growth of kCTF VRP on November 1, 2021 by which we paid 31,337 to 50,337 USD to people who are in a position to compromise our kCTF cluster and procure a flag. We elevated our rewards as a result of we acknowledged that with a purpose to appeal to the eye of the neighborhood we would have liked to match our rewards to their expectations. We take into account the growth to have been successful, and due to that we wish to prolong it even additional to not less than till the tip of the 12 months (2022).
Over the last three months, we acquired 9 submissions and paid over 175,000 USD to date. The submissions included 5 0days and two 1days. Three of those are already mounted and are public: CVE-2021-4154, CVE-2021-22600 (patch) and CVE-2022-0185 (writeup). These three bugs had been first discovered by Syzkaller, and two of them had already been mounted on the mainline and steady variations of the Linux Kernel on the time they had been reported to us.
Primarily based on our expertise these final 3 months, we made a number of enhancements to the submission course of:
- Reporting a 0day won’t require together with a flag at first. We heard some issues from members that exploiting a 0day within the shared cluster might leak it to different members. As such, we’ll solely ask for the exploit checksum (however you continue to have to take advantage of the bug and submit the flag inside every week after the patch is merged on mainline). Please ensure that your exploit works on COS with minimal modifications (check it by yourself kCTF cluster), as some frequent exploit primitives (like eBPF and userfaultfd) may not be accessible.
- Reporting a 1day would require together with a hyperlink to the patch. We are going to mechanically publish the patches of all submissions if the flag is legitimate. We additionally encourage you all to incorporate a hyperlink to a Syzkaller dashboard report if relevant with a purpose to assist cut back duplicate submissions and so you’ll be able to see which bugs had been exploited already.
- It is possible for you to to submit the exploit in the identical kind you submit the flag. In case you had submitted an exploit checksum for a 0day, please just be sure you embody the unique exploit in addition to the ultimate exploit and ensure to submit it inside every week after the patch is merged on mainline. The unique exploit should not require main modifications to work. Word that we’d like to have the ability to perceive your exploit, so please add feedback to clarify what it’s doing.
- We are actually operating two clusters, one on the REGULAR launch channel and one other one on the RAPID launch channel. This could present extra flexibility at any time when a vulnerability is barely exploitable on fashionable variations of the Linux Kernel or Kubernetes.
We’re additionally altering the reward construction barely. Going ahead the rewards shall be:
- 31,337 USD to the primary legitimate exploit submission for a given vulnerability. This can solely be paid as soon as per vulnerability and solely as soon as per cluster model/construct (accessible at /and so on/node-os-release).
- 0 USD for exploits for duplicate exploits for a similar vulnerability. The bonuses beneath may nonetheless apply.
Bonuses
- 20,000 USD for exploits for 0day vulnerabilities. This can solely be paid as soon as per vulnerability to the primary legitimate exploit submission.
- To submit 0days, please check your exploit (we advocate to check it by yourself kCTF cluster to keep away from leaking it to different members), make a checksum and ship the checksum to us. Inside every week after the vulnerability is mounted on the mainline, submit the shape as a 1day and embody the exploit of which you despatched a checksum to us.
- 20,000 USD for exploits for vulnerabilities that don’t require unprivileged consumer namespaces (CLONE_NEWUSER). This can solely be paid as soon as per vulnerability to the primary legitimate exploit submission.
- Our check lab permits unprivileged consumer namespaces, so we’ll manually examine the exploits to examine in the event that they work with out unprivileged consumer namespaces when deciding whether or not to concern the bonus. We determined to concern further rewards for exploits that don’t require unprivileged consumer namespaces as a result of containers default seccomp coverage doesn’t enable using unprivileged consumer namespaces on containers which can be run with out CAP_SYS_ADMIN. This characteristic is now accessible on Kubernetes and all nodes operating on GKE Autopilot have it enabled by default.
- 20,000 USD for exploits utilizing novel exploit methods. This can be a bonus along with the bottom rewards (applies for duplicate exploits). To qualify for this extra reward please ship us a write-up explaining it.
- An instance of one thing thought of as a novel method might be the exploitation of beforehand unknown objects to rework a restricted primitive right into a extra highly effective one, equivalent to an arbitrary/out-of-bounds learn/write or arbitrary free. For instance, in all our submissions, researchers leveraged message queues to realize kernel data leaks. We’re in search of equally highly effective methods that enable heap exploits to be βplugged inβ and instantly enable kernel entry. One other instance is bypassing a typical safety mitigation or a way for exploiting a category of vulnerabilities extra reliably.
These adjustments improve some 1day exploits to 71,337 USD (up from 31,337 USD), and makes it in order that the utmost reward for a single exploit is 91,337 USD (up from 50,337 USD). We are also going to pay even for duplicates not less than 20,000 USD in the event that they reveal novel exploit methods (up from 0 USD). Nonetheless, we can even restrict the variety of rewards for 1days to just one per model/construct. There are 12-18 GKE releases per 12 months on every channel, and we now have two clusters on completely different channels, so we can pay the 31,337 USD base rewards as much as 36 instances (no restrict for the bonuses). Whereas we do not count on each improve to have a legitimate 1day submission, we’d like to study in any other case. You could find the flag submission standing for our clusters (and their variations) right here.
We stay up for listening to from you, and proceed to strengthen our shared ecosystem. In case you are to take part however do not know the place to begin, Arizona State College has a free public Kernel Exploitation workshop at https://dojo.pwn.faculty/challenges/kernel as a part of an total reminiscence corruption course and you could find a community-maintained listing of previous Linux Kernel vulnerabilities, exploits and writeups curated by Andrey Konovalov at https://github.com/xairy/linux-kernel-exploitation.
That is a part of our Vulnerability Reward Program, which we have been operating for over 10 years, and the principles embody some extra data. Similar as with our different rewards, we’ll double them if they’re donated to charity, and submitters shall be included on our web site at bughunters.google.com. In case you are able to submit one thing, please learn the directions on our web site right here and in case you have another questions please contact us on Discord.
