Unnamed Firm Offers $250,000 for VM Hacks

An unnamed company is prepared to offer up to $250,000 for virtual machine (VM) hacks as part of a “secret” bug bounty program, crowdsourced security testing platform Bugcrowd announced this week.

The program, which Bugcrowd has described as a hybrid approach, is invitation-only, but anyone can apply for an invite. White hat hackers who believe they have the necessary skills can send a submission and they will be contacted if they have been selected.

While the name of the company running this initiative has not been disclosed, Bugcrowd has revealed that the target is an unreleased product.

The ideal applicant for this program is someone skilled in the areas of virtualization, kernel and device driver security, firmware security, and advanced application security.

Focus areas include guest VM breakout, code execution outside the guest VM, privilege escalation within the guest via the underlying platform, flaws that could result in data leakage (e.g. memory corruption, cross-guest VM issues), and disruption of service to other customers (excluding DoS attacks).

Finding these types of security issues can earn participants between $5,000 and $250,000. The hackers who submit one of the best five reports describing their efforts, attempts, ideas for potential compromise, and other relevant information will be rewarded $10,000.

The bug bounty program will run for a period of roughly 8 weeks, between early September and late October.

It’s not uncommon for companies to pay out significant rewards for VM hacks. Last year, researchers earned $150,000 at a hacking competition in South Korea for finding serious vulnerabilities in VMware Workstation and Fusion.

At ZDI’s Pwn2Own contest, Tencent Security’s Team Sniper earned $100,000 for a VMware Workstation exploit that could be used to escape VMs.

Microsoft also announced recently that it’s prepared to pay up to $250,000 for critical vulnerabilities found in its Hyper-V hypervisor on Windows 10.

Related: Atlassian Launches Public Bug Bounty Program

Related: Centrify Launches Bug Bounty Program

view counter

Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs: