Google Bug Bounty Program Expands to Chrome V8 and Google Cloud

Chrome V8 Bug Bounty

Google’s research division has unveiled v8CTF, a Capture the Flag (CTF) challenge tailored specifically for its V8 JavaScript engine, integral to its Chrome browser.

The contest was inaugurated on October 6th, 2023, welcoming all vulnerability exploit developers. “We want to learn from the security community to understand how they will approach this challenge. If you’re successful, you’ll not only earn a reward, but you’ll also help us make our products more secure for everyone. This is also a good opportunity to learn about technologies and gain hands-on experience exploiting them,” Google software engineers Stephen Roettger and Marios Pomonis stated in the Google security blog.

Contestants are permitted to seek out known vulnerabilities (termed as ‘n-day’) or unearth novel vulnerabilities (labeled ‘zero-day’ or ‘0-day’). However, their exploitation must exude a commendable degree of stability, defined by the tech conglomerate as a runtime of less than five minutes with a success rate surpassing 80%.

If the bug that led to the initial memory corruption was found by you, i.e. reported from the same email address as used in the v8CTF submission, we will consider the exploit a 0-day submission. All other exploits are considered n-day submissions,” elucidated Google.

Pertinent submissions stand to reap a reward of $10,000. The v8CTF challenge is envisioned to complement Google’s Chrome Vulnerability Reward Program (VRP), insinuating that authors who discern zero-day vulnerabilities are eligible for an additional bounty reaching up to $180,000.

Google also announced the rules for kvmCTF, another CTF challenge focused on Google Cloud’s kernel-based virtual machine (KVM) that will launch later this year.

Rewards

  • Full VM Escape: $99,999
  • Arbitrary (host) memory write: $34,999
  • Arbitrary (host) memory read: $24,999
  • Host Denial-of-Service: $14,999

Note that the above rewards do not stack. For example, if you submit a full VM escape exploit that uses an arbitrary memory write, you will be compensated with the reward for the VM escape ($99,999) and not with two separate rewards ($99,999 + $34,999).