Google Bug Bounty Program Expands to Chrome V8, Google Cloud

Google’s research team has launched v8CTF, a capture-the-flag (CTF) challenge focused on its Chrome browser’s V8 JavaScript engine.

The competition opened on October 6, 2023, and is accessible to any exploit writers. “Once you have identified a vulnerability present in our deployed version, exploit it, and grab the flag,” Google software engineers Stephen Roettger and Marios Pomonis noted in a public statement.

Contestants can either try to find known vulnerabilities (n-days) or discover new ones (zero-days or 0-days), but their exploits must be “reasonably stable,” which the company described as having a runtime of less than five minutes and at least 80% success rate.

“If the bug that led to the initial memory corruption was found by you, i.e. reported from the same email address as used in the v8CTF submission, we will consider the exploit a 0-day submission. All other exploits are considered n-day submissions,” Google explained.

Valid submissions will get a reward of $10,000.

The v8CTF challenge is set to complement Google’s Chrome Vulnerability Reward Program (VRP), meaning that exploit writers who discover a zero-day exploit are eligible for an additional reward of up to $180,000.

Read more: Google Unveils Bug Bounty Program For Android Apps

Google Cloud CTF Will Offer Up to $99,999

Google has also unveiled the rules for the kvmCTF, another CTF challenge focused on Google Cloud’s kernel-based virtual machine (KVM), which will be launched later this year.

For this competition, candidates will be asked to perform a successful guest-to-host attack based on 0-day and (patched) 1-day exploits.

Google has announced its reward prizes. These are:

  • $99,999 for a full VM escape
  • $34,999 for arbitrary (host) memory write exploits
  • $24,999 for arbitrary (host) memory read exploits
  • $14,999 for a successful denial-of-service exploit affecting the host

Google encouraged researchers to publish their submissions in order to help the community learn from each other’s techniques.

What is the Chrome V8 Submission Process?

  1. If your exploit targets a 0-day vulnerability, make sure to report it first to the Chrome VRP.
  2. Check if there’s already a submission for the currently deployed V8 version.
  3. Exploit the bug and capture the flag from our v8CTF environment.
  4. Create a .tar.gz archive of your exploit and calculate its sha256
  5. Fill out a form with the flag and the exploit sha256 sum. For 0-day submissions, submitters are invited to use the same email address they reported the bug from.
  6. A bug in the Google Issue Tracker will be filed on the submitters’ behalf. Attach the exploit matching the sha256 sum and a short write-up to the bug.
  7. Google will take a few days to validate each submission.

Join Infosecurity Magazine during our Autumn Online Summit to hear about “Transforming Security with Pentesting and Bug Bounties”- Register here.