Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Google Offering $91,000 Rewards for Linux Kernel, GKE Zero-Days

Technology giant Google is offering bigger cash awards for hackers reporting critical security flaws affecting the Linux Kernel, GKE, Kubernetes, and kCTF.

Technology giant Google is offering bigger cash awards for hackers reporting critical security flaws affecting the Linux Kernel, GKE, Kubernetes, and kCTF.

In November last year, Google tripled the bug bounty rewards for Linux kernel flaws reported through its Vulnerability Rewards Program (VRP), for payouts of up to $50,337 for zero-day issues.

This week, the company announced it is nearly doubling that amount and offering a maximum reward of $91,337 for exploits that meet certain criteria. The maximum payout includes a base reward and three bonuses.

The base reward for the first exploit submitted for a certain vulnerability is $31,337, with no reward being offered for duplicate exploits.

However, the search advertising giant is offering a bonus of $20,000 for zero-day security bugs (paid for the first valid exploit), another $20,000 bonus for vulnerabilities that do not require unprivileged user namespaces (paid for the first valid exploit), and a third $20,000 bonus for exploits using novel exploit techniques (paid for duplicate exploits too).

[ READ: Google Triples Bounty for Linux Kernel Exploitation ]

The new rewards structure also offers participating researchers the possibility to earn as much as $71,337 for 1-day exploits, and at least $20,000 for duplicate exploits that use novel techniques.

However, Google said it would also limit the number of rewards for 1days to only one per version/build.  “There are 12-18 GKE releases per year on each channel, and we have two clusters on different channels, so we will pay the 31,337 USD base rewards up to 36 times (no limit for the bonuses).”

The company recommends that researchers test their exploits in their own kCTF clusters, to make sure that no other participants to the VRP will access the exploit. 

Furthermore, the company says that, moving forward, zero-day submissions no longer have to include a flag at first, that reports for 1-day should include links to patches, and that the same form can be used to submit both exploits and flags.

[ READ: Google Confirms New Chrome Zero-Day Attack ]

“If you had submitted an exploit checksum for a 0day, please make sure that you include the original exploit as well as the final exploit and make sure to submit it within a week after the patch is merged on mainline,” Google added.

The company is now using a cluster for the REGULAR release channel and another for the RAPID release channel, to provide bug hunters with increased flexibility.

Since launching the expansion of kCTF VRP in November 2021, Google received nine vulnerability submissions — including five zero-days and two 1-days — and paid more than $175,000 in bug bounty rewards.

Related: Google Paid Out $8.7 Million in Bug Bounty Rewards in 2021

Related: Google Paid Over $29 Million in Bug Bounty Rewards in 10 Years

Related: Google Adds GKE Open-Source Dependencies to Vulnerability Rewards Program

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.