Friday, July 3, 2026
HomeCyber Security🌹 Roses are purple, Violets are blue πŸ’™ Giving leets πŸ§‘β€πŸ’» extra...

🌹 Roses are purple, Violets are blue πŸ’™ Giving leets πŸ§‘β€πŸ’» extra sweets 🍭 All of 2022!

[ad_1]

We launched an growth of kCTF VRP on November 1, 2021 during which we paid 31,337 to 50,337 USD to those who are in a position to compromise our kCTF cluster and acquire a flag. We elevated our rewards as a result of we acknowledged that as a way to appeal to the eye of the neighborhood we would have liked to match our rewards to their expectations. We contemplate the growth to have been successful, and due to that we wish to lengthen it even additional to at the least till the tip of the 12 months (2022).

Over the past three months, we acquired 9 submissions and paid over 175,000 USD up to now. The submissions included 5 0days and two 1days. Three of those are already fastened and are public: CVE-2021-4154, CVE-2021-22600 (patch) and CVE-2022-0185 (writeup). These three bugs had been first discovered by Syzkaller, and two of them had already been fastened on the mainline and steady variations of the Linux Kernel on the time they had been reported to us.

Primarily based on our expertise these final 3 months, we made a number of enhancements to the submission course of:

  • Reporting a 0day is not going to require together with a flag at first. We heard some issues from individuals that exploiting a 0day within the shared cluster may leak it to different individuals. As such, we are going to solely ask for the exploit checksum (however you continue to have to use the bug and submit the flag inside per week after the patch is merged on mainline). Please make it possible for your exploit works on COS with minimal modifications (check it by yourself kCTF cluster), as some widespread exploit primitives (like eBPF and userfaultfd) won’t be out there.
  • Reporting a 1day would require together with a hyperlink to the patch. We’ll mechanically publish the patches of all submissions if the flag is legitimate. We additionally encourage you all to incorporate a hyperlink to a Syzkaller dashboard report if relevant as a way to assist scale back duplicate submissions and so you possibly can see which bugs had been exploited already.
  • It is possible for you to to submit the exploit in the identical type you submit the flag. In the event you had submitted an exploit checksum for a 0day, please just be sure you embody the unique exploit in addition to the ultimate exploit and ensure to submit it inside per week after the patch is merged on mainline. The unique exploit should not require main modifications to work. Notice that we’d like to have the ability to perceive your exploit, so please add feedback to elucidate what it’s doing.
  • We at the moment are working two clusters, one on the REGULAR launch channel and one other one on the RAPID launch channel. This could present extra flexibility at any time when a vulnerability is barely exploitable on fashionable variations of the Linux Kernel or Kubernetes.

We’re additionally altering the reward construction barely. Going ahead the rewards will probably be:

  • 31,337 USD to the primary legitimate exploit submission for a given vulnerability. It will solely be paid as soon as per vulnerability and solely as soon as per cluster model/construct (out there at /and many others/node-os-release).
  • 0 USD for exploits for duplicate exploits for a similar vulnerability. The bonuses under would possibly nonetheless apply.

Bonuses

  • 20,000 USD for exploits for 0day vulnerabilities. It will solely be paid as soon as per vulnerability to the primary legitimate exploit submission.
    • To submit 0days, please check your exploit (we advocate to check it by yourself kCTF cluster to keep away from leaking it to different individuals), make a checksum and ship the checksum to us. Inside per week after the vulnerability is fastened on the mainline, submit the shape as a 1day and embody the exploit of which you despatched a checksum to us.
  • 20,000 USD for exploits for vulnerabilities that don’t require unprivileged consumer namespaces (CLONE_NEWUSER). It will solely be paid as soon as per vulnerability to the primary legitimate exploit submission.
    • Our check lab permits unprivileged consumer namespaces, so we are going to manually verify the exploits to verify in the event that they work with out unprivileged consumer namespaces when deciding whether or not to subject the bonus. We determined to subject extra rewards for exploits that don’t require unprivileged consumer namespaces as a result of containers default seccomp coverage doesn’t permit using unprivileged consumer namespaces on containers which can be run with out CAP_SYS_ADMIN. This characteristic is now out there on Kubernetes and all nodes working on GKE Autopilot have it enabled by default.
  • 20,000 USD for exploits utilizing novel exploit methods. It is a bonus along with the bottom rewards (applies for duplicate exploits). To qualify for this extra reward please ship us a write-up explaining it.
    • An instance of one thing thought of as a novel method could possibly be the exploitation of beforehand unknown objects to rework a restricted primitive right into a extra highly effective one, resembling an arbitrary/out-of-bounds learn/write or arbitrary free. For instance, in all our submissions, researchers leveraged message queues to realize kernel data leaks. We’re in search of equally highly effective methods that permit heap exploits to be β€œplugged in” and instantly permit kernel entry. One other instance is bypassing a standard safety mitigation or a way for exploiting a category of vulnerabilities extra reliably.

These modifications improve some 1day exploits to 71,337 USD (up from 31,337 USD), and makes it in order that the utmost reward for a single exploit is 91,337 USD (up from 50,337 USD). We are also going to pay even for duplicates at the least 20,000 USD in the event that they show novel exploit methods (up from 0 USD). Nevertheless, we may even restrict the variety of rewards for 1days to just one per model/construct. There are 12-18 GKE releases per 12 months on every channel, and we have now two clusters on totally different channels, so we pays the 31,337 USD base rewards as much as 36 instances (no restrict for the bonuses). Whereas we do not anticipate each improve to have a legitimate 1day submission, we’d like to study in any other case. Yow will discover the flag submission standing for our clusters (and their variations) right here.

We sit up for listening to from you, and proceed to strengthen our shared ecosystem. In case you are to take part however do not know the place to begin, Arizona State College has a free public Kernel Exploitation workshop at https://dojo.pwn.faculty/challenges/kernel as a part of an total reminiscence corruption course and you’ll find a community-maintained record of previous Linux Kernel vulnerabilities, exploits and writeups curated by Andrey Konovalov at https://github.com/xairy/linux-kernel-exploitation.

That is a part of our Vulnerability Reward Program, which we have been working for over 10 years, and the foundations embody some extra data. Identical as with our different rewards, we are going to double them if they’re donated to charity, and submitters will probably be included on our web site at bughunters.google.com. In case you are able to submit one thing, please learn the directions on our web site right here and if in case you have every other questions please contact us on Discord.

[ad_2]

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments