Connect with us

Hi, what are you looking for?


Application Security

Google Offering $91,000 Rewards for Linux Kernel, GKE Zero-Days

Technology giant Google is offering bigger cash awards for hackers reporting critical security flaws affecting the Linux Kernel, GKE, Kubernetes, and kCTF.

Technology giant Google is offering bigger cash awards for hackers reporting critical security flaws affecting the Linux Kernel, GKE, Kubernetes, and kCTF.

In November last year, Google tripled the bug bounty rewards for Linux kernel flaws reported through its Vulnerability Rewards Program (VRP), for payouts of up to $50,337 for zero-day issues.

This week, the company announced it is nearly doubling that amount and offering a maximum reward of $91,337 for exploits that meet certain criteria. The maximum payout includes a base reward and three bonuses.

The base reward for the first exploit submitted for a certain vulnerability is $31,337, with no reward being offered for duplicate exploits.

However, the search advertising giant is offering a bonus of $20,000 for zero-day security bugs (paid for the first valid exploit), another $20,000 bonus for vulnerabilities that do not require unprivileged user namespaces (paid for the first valid exploit), and a third $20,000 bonus for exploits using novel exploit techniques (paid for duplicate exploits too).

[ READ: Google Triples Bounty for Linux Kernel Exploitation ]

The new rewards structure also offers participating researchers the possibility to earn as much as $71,337 for 1-day exploits, and at least $20,000 for duplicate exploits that use novel techniques.

Advertisement. Scroll to continue reading.

However, Google said it would also limit the number of rewards for 1days to only one per version/build.  “There are 12-18 GKE releases per year on each channel, and we have two clusters on different channels, so we will pay the 31,337 USD base rewards up to 36 times (no limit for the bonuses).”

The company recommends that researchers test their exploits in their own kCTF clusters, to make sure that no other participants to the VRP will access the exploit. 

Furthermore, the company says that, moving forward, zero-day submissions no longer have to include a flag at first, that reports for 1-day should include links to patches, and that the same form can be used to submit both exploits and flags.

[ READ: Google Confirms New Chrome Zero-Day Attack ]

“If you had submitted an exploit checksum for a 0day, please make sure that you include the original exploit as well as the final exploit and make sure to submit it within a week after the patch is merged on mainline,” Google added.

The company is now using a cluster for the REGULAR release channel and another for the RAPID release channel, to provide bug hunters with increased flexibility.

Since launching the expansion of kCTF VRP in November 2021, Google received nine vulnerability submissions — including five zero-days and two 1-days — and paid more than $175,000 in bug bounty rewards.

Related: Google Paid Out $8.7 Million in Bug Bounty Rewards in 2021

Related: Google Paid Over $29 Million in Bug Bounty Rewards in 10 Years

Related: Google Adds GKE Open-Source Dependencies to Vulnerability Rewards Program

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...