We’re always investing within the safety of the Linux Kernel as a result of a lot of the web, and Googleβfrom the units in our pockets, to the companies operating on Kubernetes within the cloudβdepend upon the safety of it. We analysis its vulnerabilities and assaults, in addition to research and develop its defenses.
However we all know that there’s extra work to do. Thatβs why we now have determined to construct on prime of our kCTF VRP from final 12 months and triple our earlier reward quantities (for at the least the following 3 months).
Our base rewards for every publicly patched vulnerability is 31,337 USD (at most one exploit per vulnerability), however the reward can go as much as 50,337 USD in two instances:
- If the vulnerability was in any other case unpatched within the Kernel (0day)
- If the exploit makes use of a brand new assault or approach, as decided by Google
We hope the brand new rewards will encourage the safety neighborhood to discover new Kernel exploitation methods to realize privilege escalation and drive faster fixes for these vulnerabilities. You will need to be aware, that the simplest exploitation primitives aren’t accessible in our lab atmosphere as a result of hardening carried out on Container-Optimized OS. Be aware this program enhances Android’s VRP rewards, so exploits that work on Android may be eligible for as much as 250,000 USD (that is along with this program).
The mechanics are:
- Connect with the kCTF VRP cluster, acquire root and browse the flag (learn this writeup for the way it was carried out earlier than, and this menace mannequin for inspiration), after which submit your flag and a checksum of your exploit on this type.
- (If relevant) report vulnerabilities to upstream.
- We strongly suggest together with a patch since that might qualify for an extra reward from our Patch Reward Program, however please report vulnerabilities upstream promptly when you affirm they’re exploitable.
- Present the exploit code and the algorithm used to calculate the hash checksum.
- A tough description of the exploit technique is welcome.
Stories will likely be triaged on a weekly foundation. If anybody has issues with the lab atmosphere (if it is unavailable, technical points or different questions), contact us on Discord in #kctf. You’ll be able to learn extra particulars about this system right here. Glad searching!
