Virtualization Technology News and Information
Secret Program Offers $250,000 Bounty for VM Escape Vulnerabilities


Shhh!  Have you heard about the secret program currently going through a recruitment process where recruits can earn rewards upwards of $250,000?  Well in 2017, as you probably are already well aware, secrets aren't what they used to be.  So, here's the info!

An unnamed company is starting an eight-week, invite-only bug bounty program in September that offers a $250,000 payout for virtual machine escape vulnerabilities tied to an as of yet unreleased product.

This announcement is another indicator that organizations are seeing the value in bounty programs like this so that they can identify vulnerabilities early rather than waiting around for others to take advantage of them -- and ultimately costing them more one way or the other down the line.  

What is this secret program?

"Private programs are open to a select, vetted group of researchers while public ones are open to the full breadth of the 60k+ crowd.  This top secret program is a hybrid approach.  It allows the organization to recruit more top talent -- security experts that specialize in the company's unique attack surface -- in a more controlled way.  This means that while not just anyone can 'hack on' the program, anyone can apply to," said Casey Ellis, CEO of Bugcrowd.

The not so "Super-Secret" Bugcrowd bounty program is invite-only and requires participating researchers to submit a report of their efforts, what was attempted, ideas for a potential compromise, and any other relevant information (regardless of whether or not they achieved the stated objectives), according to the company.

Areas of focus will include:

  • Guest VM breakout/isolation failures
  • Code execution beyond the confines of your guest VM
  • Privilege escalation within the guest VM made possible by the underlying platform
  • Any vulnerabilities which could lead to compromise or leakage of data and directly affect the confidentiality or integrity of user data of which affects user privacy (including memory corruption, cross guest VM issues, persistent issues).
  • Denial/degrading service to other customers, or of the underlying platform itself (excluding DDoS)

The program will last eight weeks, starting early September and lasting through October.  And according to the bounty website, 48 participants have already joined the program as of this writing.

The top $250,000 bounty paid out by the unknown sponsoring company is for "guest escape vulnerabilities that lead to code execution in the virtualization platform itself" and a "guest escape vulnerabilities that lead to code execution in another instance."  The same program pays $100,000 for bugs tied to vulnerabilities that leak memory contents and code from the virtualization platform.  Additionally, a $25,000 bounty is paid to vulnerabilities related to unintended network access to control-plane infrastructure issues.  And the top five reports at the end of the program that show demonstrated effort and expertise will be rewarded $10,000, as a level of compensation for work done.

Ready to get your white hat on and try your luck?  Apply for the super secret program.  But be prepared to undergo a background check and sign an NDA prior to participating.

Published Thursday, August 10, 2017 9:12 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<August 2017>