Saturday, August 12, 2017

Mysterious company is offering up to $250,000 for VM Hacks through a bug bounty

A mysterious company makes the headlines for offering up to $250,000 for virtual machine (VM) hacks. The “secret” bug bounty program was announced by the crowdsourced security testing platform Bugcrowd.
At the time I was writing the unique information available on the target is that it is an unreleased product.
The program is invitation-only, but anyone can apply for an invite, the organization will contact the final participants.
“Bugcrowd has an exciting opportunity to participate in a private, invite-only program with an undisclosed client, against an unreleased product – with rewards up to $250,000!” reads the announcement published on Bugcrowd. 
Candidates must have specific skills on virtual environments, kernel and device driver security, firmware security, and advanced application security.
VM Hacks via bug bounty
The hackers must focus their activities in:
  • Guest VM breakout/isolation failures
  • Code execution beyond the confines of your guest VM
  • Privilege escalation within the guest VM made possible by the underlying platform
  • Any vulnerabilities which could lead to compromise or leakage of data and directly affect the confidentiality or integrity of user data of which affects user privacy (including memory corruption, cross guest VM issues, persistent issues).
  • Denial/degrading service to other customers, or of the underlying platform itself (excluding DDoS)
Participants can earn between $5,000 and $250,000 for each vulnerability they will report, the duration of the bug bounty program is roughly of 8 weeks, it will start in September.
Bug bounty programs are becoming even more common in the IT security industry, VM hacks are among the issues considered more interesting by the experts. Last year, security experts earned $150,000 for or the hack of the VMware Workstation 12.5.1. reported at the hacking contest 2016 PwnFest held in South Korea at the 2016 Power Of Community (POC) security conference.
This year, during the Pwn2Own contest, the researchers at the Tencent Security’s Team Sniper earned $100,000 for a VMware Workstation exploit that could be exploited by attackers used to escape VMs.

0 comments:

Post a Comment