Google’s research team has initiated the v8CTF, a unique capture-the-flag (CTF) challenge focused on probing vulnerabilities within the V8 JavaScript engine that powers the Chrome browser. This competition, which commenced on October 6, 2023, is open to exploit writers and encourages them to identify and exploit vulnerabilities in the deployed version of Chrome.
To be considered valid, exploits must meet specific stability criteria, including a runtime of less than five minutes and an 80% success rate. Google has clearly outlined the distinction between known vulnerabilities (n-days) and new ones (zero-days) and emphasized that exploits meeting their criteria will receive a $10,000 reward.
Notably, Google’s v8CTF challenge is designed to complement its existing Chrome Vulnerability Reward Program (VRP). This means that participants who successfully discover and exploit zero-day vulnerabilities may qualify for an additional reward, potentially reaching up to $180,000.
The challenge serves as an invitation to the cybersecurity community, providing a platform for individuals to demonstrate their expertise, uncover potential vulnerabilities within the V8 JavaScript engine, and contribute to the improvement of Chrome’s security. This initiative showcases Google’s commitment to fostering collaboration and incentivizing security researchers to proactively identify and address software vulnerabilities.
In addition to the v8CTF, Google has also unveiled rules for the upcoming kvmCTF, another CTF challenge focused on Google Cloud’s kernel-based virtual machine (KVM). Scheduled for later in the year, the kvmCTF will require participants to execute successful guest-to-host attacks utilizing both zero-day and patched one-day (1-day) exploits. These competitions underscore Google’s dedication to cybersecurity and its engagement with the broader community in fortifying its software and cloud infrastructure against potential threats.
