Google doubles bug bounty rewards for Linux, Kubernetes exploits
The increased rewards are said to align better with the community's expectations of a bug bounty programme of this kind
Google has announced it will be doubling the rewards it offers to bug hunters who can demonstrate working exploits for a range of zero-day and one-day vulnerabilities across a variety of platforms.
The reward increases will be applied to exploits discovered in the Linux Kernel, Kubernetes, Google Kubernetes Engine (GKE), or kCTF (Kubernetes-based infrastructure for capture the flag exercises), with the next review coming at the start of 2023.
Rewards offered for valid one-day security exploits increase by more than double to a maximum of $71,337, up from $31,337 previously. Sometimes known as 'n-days', one-days are publicly known vulnerabilities that have patches for them, but Google will offer rewards for novel exploits in this case.
Bug hunters seeking rewards for valid one-day exploits will have to provide a link to the existing patch in their report. Google also said it will be limiting the number of rewards for one-day vulnerabilities to only one version or build.
"There are 12-18 GKE releases per year on each channel, and we have two clusters on different channels, so we will pay the $31,337 base rewards up to 36 times (no limit for the bonuses)," said Eduardo Vela, Product Security Response TL/M at Google. "While we don't expect every upgrade to have a valid 1day submission, we would love to learn otherwise."
Valid exploits for previously unknown zero-day vulnerabilities will nearly double to a maximum reward of $91,337, up from $50,337 previously. Zero-day vulnerabilities typically attract greater rewards because any given vendor would always want to secure the weakness before news of it ever reached cyber criminals.
"We launched an expansion of kCTF VRP on 1 November 2021 in which we paid $31,337 to $50,337 to those that are able to compromise our kCTF cluster and obtain a flag," said Vela. "We increased our rewards because we recognised that in order to attract the attention of the community we needed to match our rewards to their expectations. We consider the expansion to have been a success, and because of that, we would like to extend it even further to at least until the end of the year (2022)."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Vulnerability and patch management
Keep known vulnerabilities out of your IT infrastructure
An increasing amount of recent research has highlighted cyber criminals' shift in focus towards Linux environments, both in and outside of the cloud.
Qualys published findings earlier this year regarding a Linux root privilege flaw that went unnoticed for 12 years while "hiding in plain sight", while VMware observed an increasing number of ransomware attacks targeting Linux-based multi-cloud environments last week.
Full details on the reporting process can be found in the Google blog post.
Reward structure
Google will offer a base reward of $31,337 for the first valid exploit for a given vulnerability, zero-day or one-day. This will only be paid once per vulnerability and once per cluster version or build. Duplicate exploits will not be awarded unless it presents a novel exploit chain, Google said.
From there, a total of three bonuses of $20,000 are available depending on the nature of the exploit disclosed.
- $20,000 will be awarded if the exploit is a zero-day
- A further $20,000 will be awarded for exploits that do not require unprivileged user namespaces
- Another $20,000 is on offer to those who can demonstrate novel exploit techniques. This also applies to duplicate exploits and Google requires a full write-up to qualify as a valid submission
Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.