Security Blog
The latest news and insights from Google on security and safety on the Internet
πΉ Roses are red, Violets are blue π Giving leets π§π» more sweets π All of 2022!
February 14, 2022
Posted by Eduardo Vela, Vulnerability Matchmaker
Until December 31 2022 we will pay 20,000 to 91,337 USD for exploits of vulnerabilities in the Linux Kernel, Kubernetes, GKE or kCTF that are exploitable on our test lab.
We launched an
expansion
of kCTF VRP on November 1, 2021 in which we paid 31,337 to 50,337 USD to those that are able to compromise our kCTF cluster and obtain a flag. We increased our rewards because we recognized that in order to attract the attention of the community we needed to match our rewards to their expectations. We consider the expansion to have been a success, and because of that we would like to extend it even further to at least until the end of the year (2022).
During the last three months, we received 9 submissions and paid over 175,000 USD so far. The submissions included five 0days and two 1days. Three of these are already fixed and are public:
CVE-2021-4154
,
CVE-2021-22600
(
patch
) and
CVE-2022-0185
(
writeup
). These three bugs were first found by
Syzkaller
, and two of them had already been fixed on the mainline and stable versions of the Linux Kernel at the time they were reported to us.
Based on our experience these last 3 months, we made a few improvements to the submission process:
Reporting a 0day will not require including a flag at first. We heard some concerns from participants that exploiting a 0day in the shared cluster could leak it to other participants. As such, we will only ask for the exploit checksum (but you still have to exploit the bug and submit the flag within a week after the patch is merged on
mainline
). Please make sure that your exploit
works on COS
with minimal modifications (test it on your own
kCTF cluster
), as some common exploit primitives (like eBPF and userfaultfd) might not be available.
Reporting a 1day will require including a link to the patch. We will automatically publish the patches of all submissions if the flag is valid. We also encourage you all to include a link to a Syzkaller dashboard report if applicable in order to help reduce duplicate submissions and so you can see which bugs were exploited already.
You will be able to submit the exploit in the same form you submit the flag. If you had submitted an exploit checksum for a 0day, please make sure that you include the original exploit as well as the final exploit and make sure to submit it within a week after the patch is merged on
mainline
. The original exploit shouldn't require major modifications to work. Note that we need to be able to understand your exploit, so please add comments to explain what it is doing.
We are now running two clusters, one on the
REGULAR
release channel and another one on the
RAPID
release channel. This should provide more flexibility whenever a vulnerability is only exploitable on modern versions of the Linux Kernel or Kubernetes.
We are also changing the reward structure slightly. Going forward the rewards will be:
31,337 USD to the first valid exploit submission for a given vulnerability. This will only be paid once per vulnerability and only once per cluster version/build (available at /etc/node-os-release).
0 USD for exploits for duplicate exploits for the same vulnerability. The bonuses below might still apply.
Bonuses
20,000 USD for exploits for 0day vulnerabilities. This will only be paid once per vulnerability to the first valid exploit submission.
To submit 0days, please test your exploit (we recommend to test it on your own kCTF cluster to avoid leaking it to other participants), make a checksum and send the checksum to us. Within a week after the vulnerability is fixed on the
mainline
, submit the form as a 1day and include the exploit of which you sent a checksum to us.
20,000 USD for exploits for vulnerabilities that do not require unprivileged user namespaces (CLONE_NEWUSER). This will only be paid once per vulnerability to the first valid exploit submission.
Our test lab allows unprivileged user namespaces, so we will manually check the exploits to check if they work without unprivileged user namespaces when deciding whether to issue the bonus. We decided to issue additional rewards for exploits that do not require unprivileged user namespaces because containers
default seccomp policy
does not allow the use of unprivileged user namespaces on containers that are run without CAP_SYS_ADMIN. This feature is now
available
on Kubernetes and all nodes running on
GKE Autopilot
have it enabled by default.
20,000 USD for exploits using novel exploit techniques. This is a bonus in addition to the base rewards (applies for duplicate exploits). To qualify for this additional reward please send us a write-up explaining it.
An example of something considered as a novel technique could be the exploitation of previously unknown objects to transform a limited primitive into a more powerful one, such as an arbitrary/out-of-bounds read/write or arbitrary free. For example, in all our submissions, researchers leveraged message queues to achieve kernel information leaks. We are looking for similarly powerful techniques that allow heap exploits to be “plugged in” and immediately allow kernel access. Another example is bypassing a common security mitigation or a technique for exploiting a class of vulnerabilities more reliably.
These changes increase some 1day exploits to 71,337 USD (up from 31,337 USD), and makes it so that the maximum reward for a single exploit is 91,337 USD (up from 50,337 USD). We also are going to pay even for duplicates at least 20,000 USD if they demonstrate novel exploit techniques (up from 0 USD). However, we will also limit the number of rewards for 1days to only one per version/build. There are 12-18
GKE releases
per year on each channel, and we have two clusters on different channels, so we will pay the 31,337 USD base rewards up to 36 times (no limit for the bonuses). While we don't expect every upgrade to have a valid 1day submission, we would love to learn otherwise. You can find the flag submission status for our clusters (and their versions)
here
.
We look forward to hearing from you, and continue to strengthen our shared ecosystem. If you are interested to participate but don't know where to start, Arizona State University has a free public Kernel Exploitation workshop at
https://dojo.pwn.college/challenges/kernel
as part of an overall memory corruption course and you can find a community-maintained list of past Linux Kernel vulnerabilities, exploits and writeups curated by Andrey Konovalov at
https://github.com/xairy/linux-kernel-exploitation
.
This is part of our Vulnerability Reward Program, which we've been running for over 10 years, and
the rules
include some more information. Same as with our other rewards, we will double them if they are donated to charity, and submitters will be included on our site at
bughunters.google.com
. If you are ready to submit something, please read the instructions on our site
here
and if you have any other questions please contact us
on Discord
.
No comments :
Post a Comment
Labels
#sharethemicincyber
#supplychain #security #opensource
android
android security
android tr
app security
big data
biometrics
blackhat
C++
chrome
chrome enterprise
chrome security
connected devices
CTF
diversity
encryption
federated learning
fuzzing
Gboard
google play
google play protect
hacking
interoperability
iot security
kubernetes
linux kernel
memory safety
Open Source
pha family highlights
pixel
privacy
private compute core
Rowhammer
rust
Security
security rewards program
sigstore
spyware
supply chain
targeted spyware
tensor
Titan M2
VDP
vulnerabilities
workshop
Archive
2024
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2023
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2022
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2021
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2020
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2019
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2018
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2017
Dec
Nov
Oct
Sep
Jul
Jun
May
Apr
Mar
Feb
Jan
2016
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2015
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2014
Dec
Nov
Oct
Sep
Aug
Jul
Jun
Apr
Mar
Feb
Jan
2013
Dec
Nov
Oct
Aug
Jun
May
Apr
Mar
Feb
Jan
2012
Dec
Sep
Aug
Jun
May
Apr
Mar
Feb
Jan
2011
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
2010
Nov
Oct
Sep
Aug
Jul
May
Apr
Mar
2009
Nov
Oct
Aug
Jul
Jun
Mar
2008
Dec
Nov
Oct
Aug
Jul
May
Feb
2007
Nov
Oct
Sep
Jul
Jun
May
Feed
Follow @google
Follow
Give us feedback in our
Product Forums
.
Follow
No comments :
Post a Comment