Tuesday, June 25, 2024

Google Offering $91,000 Rewards for Linux Kernel, GKE Zero-Days

Technology giant Google is offering bigger cash awards for hackers reporting critical security flaws affecting the Linux Kernel, GKE, Kubernetes, and kCTF.

In November last year, Google tripled the bug bounty rewards for Linux kernel flaws reported through its Vulnerability Rewards Program (VRP), for payouts of up to $50,337 for zero-day issues.

This week, the company announced it is nearly doubling that amount and offering a maximum reward of $91,337 for exploits that meet certain criteria. The maximum payout includes a base reward and three bonuses.

The base reward for the first exploit submitted for a certain vulnerability is $31,337, with no reward being offered for duplicate exploits.


However, the search advertising giant is offering a bonus of $20,000 for zero-day security bugs (paid for the first valid exploit), another $20,000 bonus for vulnerabilities that do not require unprivileged user namespaces (paid for the first valid exploit), and a third $20,000 bonus for exploits using novel exploit techniques (paid for duplicate exploits too).

The new rewards structure also offers participating researchers the possibility to earn as much as $71,337 for 1-day exploits, and at least $20,000 for duplicate exploits that use novel techniques.

However, Google said it would also limit the number of rewards for 1days to only one per version/build.  “There are 12-18 GKE releases per year on each channel, and we have two clusters on different channels, so we will pay the 31,337 USD base rewards up to 36 times (no limit for the bonuses).”

Recommended:  Open Source Intelligence What is it? and How Is it Used? (OSINT)

The company recommends that researchers test their exploits in their own kCTF clusters, to make sure that no other participants to the VRP will access the exploit. 

Furthermore, the company says that, moving forward, zero-day submissions no longer have to include a flag at first, that reports for 1-day should include links to patches, and that the same form can be used to submit both exploits and flags.

“If you had submitted an exploit checksum for a 0day, please make sure that you include the original exploit as well as the final exploit and make sure to submit it within a week after the patch is merged on mainline,” Google added.

The company is now using a cluster for the REGULAR release channel and another for the RAPID release channel, to provide bug hunters with increased flexibility.

Since launching the expansion of kCTF VRP in November 2021, Google received nine vulnerability submissions — including five zero-days and two 1-days — and paid more than $175,000 in bug bounty rewards.

ClosePlease login
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

User Avatar
Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates