To be considered valid, exploits must meet specific stability criteria, including a runtime of less than five minutes and an 80% success rate. Google has clearly outlined the distinction between known vulnerabilities (n-days) and new ones (zero-days) and emphasized that exploits meeting their criteria will receive a $10,000 reward.
Notably, Google’s v8CTF challenge is designed to complement its existing Chrome Vulnerability Reward Program (VRP). This means that participants who successfully discover and exploit zero-day vulnerabilities may qualify for an additional reward, potentially reaching up to $180,000.
In addition to the v8CTF, Google has also unveiled rules for the upcoming kvmCTF, another CTF challenge focused on Google Cloud’s kernel-based virtual machine (KVM). Scheduled for later in the year, the kvmCTF will require participants to execute successful guest-to-host attacks utilizing both zero-day and patched one-day (1-day) exploits. These competitions underscore Google’s dedication to cybersecurity and its engagement with the broader community in fortifying its software and cloud infrastructure against potential threats.