Google Offering $91,000 Rewards for Linux Kernel, GKE Zero-Days

Technology giant Google is offering bigger cash awards for hackers reporting critical security flaws affecting the Linux Kernel, GKE, Kubernetes, and kCTF.

In November last year, Google tripled the bug bounty rewards for Linux kernel flaws reported through its Vulnerability Rewards Program (VRP), for payouts of up to $50,337 for zero-day issues.

This week, the company announced it is nearly doubling that amount and offering a maximum reward of $91,337 for exploits that meet certain criteria. The maximum payout includes a base reward and three bonuses.

The base reward for the first exploit submitted for a certain vulnerability is $31,337, with no reward being offered for duplicate exploits.

However, the search advertising giant is offering a bonus of $20,000 for zero-day security bugs (paid for the first valid exploit), another $20,000 bonus for vulnerabilities that do not require unprivileged user namespaces (paid for the first valid exploit), and a third $20,000 bonus for exploits using novel exploit techniques (paid for duplicate exploits too).

The new rewards structure also offers participating researchers the possibility to earn as much as $71,337 for 1-day exploits, and at least $20,000 for duplicate exploits that use novel techniques.

However, Google said it would also limit the number of rewards for 1days to only one per version/build.  “There are 12-18 GKE releases per year on each channel, and we have two clusters on different channels, so we will pay the 31,337 USD base rewards up to 36 times (no limit for the bonuses).”

The company recommends that researchers test their exploits in their own kCTF clusters, to make sure that no other participants to the VRP will access the exploit. 

Furthermore, the company says that, moving forward, zero-day submissions no longer have to include a flag at first, that reports for 1-day should include links to patches, and that the same form can be used to submit both exploits and flags.

“If you had submitted an exploit checksum for a 0day, please make sure that you include the original exploit as well as the final exploit and make sure to submit it within a week after the patch is merged on mainline,” Google added.

The company is now using a cluster for the REGULAR release channel and another for the RAPID release channel, to provide bug hunters with increased flexibility.

Since launching the expansion of kCTF VRP in November 2021, Google received nine vulnerability submissions — including five zero-days and two 1-days — and paid more than $175,000 in bug bounty rewards.