We launched an enlargement of kCTF VRP on November 1, 2021 through which we paid 31,337 to 50,337 USD to people who are in a position to compromise our kCTF cluster and procure a flag. We elevated our rewards as a result of we acknowledged that so as to appeal to the eye of the neighborhood we would have liked to match our rewards to their expectations. We take into account the enlargement to have been a hit, and due to that we wish to prolong it even additional to not less than till the top of the yr (2022).
Over the past three months, we acquired 9 submissions and paid over 175,000 USD up to now. The submissions included 5 0days and two 1days. Three of those are already fastened and are public: CVE-2021-4154, CVE-2021-22600 (patch) and CVE-2022-0185 (writeup). These three bugs have been first discovered by Syzkaller, and two of them had already been fastened on the mainline and secure variations of the Linux Kernel on the time they have been reported to us.
Primarily based on our expertise these final 3 months, we made just a few enhancements to the submission course of:
- Reporting a 0day is not going to require together with a flag at first. We heard some issues from contributors that exploiting a 0day within the shared cluster might leak it to different contributors. As such, we are going to solely ask for the exploit checksum (however you continue to have to take advantage of the bug and submit the flag inside per week after the patch is merged on mainline). Please be sure that your exploit works on COS with minimal modifications (take a look at it by yourself kCTF cluster), as some frequent exploit primitives (like eBPF and userfaultfd) may not be out there.
- Reporting a 1day would require together with a hyperlink to the patch. We’ll mechanically publish the patches of all submissions if the flag is legitimate. We additionally encourage you all to incorporate a hyperlink to a Syzkaller dashboard report if relevant so as to assist cut back duplicate submissions and so you may see which bugs have been exploited already.
- It is possible for you to to submit the exploit in the identical kind you submit the flag. If you happen to had submitted an exploit checksum for a 0day, please just remember to embody the unique exploit in addition to the ultimate exploit and ensure to submit it inside per week after the patch is merged on mainline. The unique exploit should not require main modifications to work. Observe that we want to have the ability to perceive your exploit, so please add feedback to elucidate what it’s doing.
- We at the moment are working two clusters, one on the REGULAR launch channel and one other one on the RAPID launch channel. This could present extra flexibility at any time when a vulnerability is simply exploitable on trendy variations of the Linux Kernel or Kubernetes.
We’re additionally altering the reward construction barely. Going ahead the rewards shall be:
- 31,337 USD to the primary legitimate exploit submission for a given vulnerability. This may solely be paid as soon as per vulnerability and solely as soon as per cluster model/construct (out there at /and so on/node-os-release).
- 0 USD for exploits for duplicate exploits for a similar vulnerability. The bonuses under would possibly nonetheless apply.
Bonuses
- 20,000 USD for exploits for 0day vulnerabilities. This may solely be paid as soon as per vulnerability to the primary legitimate exploit submission.
- To submit 0days, please take a look at your exploit (we suggest to check it by yourself kCTF cluster to keep away from leaking it to different contributors), make a checksum and ship the checksum to us. Inside per week after the vulnerability is fastened on the mainline, submit the shape as a 1day and embody the exploit of which you despatched a checksum to us.
- 20,000 USD for exploits for vulnerabilities that don’t require unprivileged consumer namespaces (CLONE_NEWUSER). This may solely be paid as soon as per vulnerability to the primary legitimate exploit submission.
- Our take a look at lab permits unprivileged consumer namespaces, so we are going to manually examine the exploits to examine in the event that they work with out unprivileged consumer namespaces when deciding whether or not to concern the bonus. We determined to concern extra rewards for exploits that don’t require unprivileged consumer namespaces as a result of containers default seccomp coverage doesn’t permit using unprivileged consumer namespaces on containers which are run with out CAP_SYS_ADMIN. This function is now out there on Kubernetes and all nodes working on GKE Autopilot have it enabled by default.
- 20,000 USD for exploits utilizing novel exploit strategies. This can be a bonus along with the bottom rewards (applies for duplicate exploits). To qualify for this extra reward please ship us a write-up explaining it.
- An instance of one thing thought of as a novel approach might be the exploitation of beforehand unknown objects to remodel a restricted primitive right into a extra highly effective one, corresponding to an arbitrary/out-of-bounds learn/write or arbitrary free. For instance, in all our submissions, researchers leveraged message queues to attain kernel info leaks. We’re in search of equally highly effective strategies that permit heap exploits to be βplugged inβ and instantly permit kernel entry. One other instance is bypassing a standard safety mitigation or a method for exploiting a category of vulnerabilities extra reliably.
These modifications enhance some 1day exploits to 71,337 USD (up from 31,337 USD), and makes it in order that the utmost reward for a single exploit is 91,337 USD (up from 50,337 USD). We are also going to pay even for duplicates not less than 20,000 USD in the event that they reveal novel exploit strategies (up from 0 USD). Nonetheless, we may also restrict the variety of rewards for 1days to just one per model/construct. There are 12-18 GKE releases per yr on every channel, and we have now two clusters on totally different channels, so we can pay the 31,337 USD base rewards as much as 36 instances (no restrict for the bonuses). Whereas we do not anticipate each improve to have a legitimate 1day submission, we might like to be taught in any other case. Yow will discover the flag submission standing for our clusters (and their variations) right here.
We stay up for listening to from you, and proceed to strengthen our shared ecosystem. In case you are to take part however do not know the place to begin, Arizona State College has a free public Kernel Exploitation workshop at https://dojo.pwn.school/challenges/kernel as a part of an general reminiscence corruption course and you’ll find a community-maintained record of previous Linux Kernel vulnerabilities, exploits and writeups curated by Andrey Konovalov at https://github.com/xairy/linux-kernel-exploitation.
That is a part of our Vulnerability Reward Program, which we have been working for over 10 years, and the principles embody some extra info. Similar as with our different rewards, we are going to double them if they’re donated to charity, and submitters shall be included on our website at bughunters.google.com. In case you are able to submit one thing, please learn the directions on our website right here and when you’ve got another questions please contact us on Discord.
