IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Google doubles bug bounty rewards for Linux, Kubernetes exploits

The increased rewards are said to align better with the community's expectations of a bug bounty programme of this kind

Google has announced it will be doubling the rewards it offers to bug hunters who can demonstrate working exploits for a range of zero-day and one-day vulnerabilities across a variety of platforms. 

The reward increases will be applied to exploits discovered in the Linux Kernel, Kubernetes, Google Kubernetes Engine (GKE), or kCTF (Kubernetes-based infrastructure for capture the flag exercises), with the next review coming at the start of 2023.

Rewards offered for valid one-day security exploits increase by more than double to a maximum of $71,337, up from $31,337 previously. Sometimes known as 'n-days', one-days are publicly known vulnerabilities that have patches for them, but Google will offer rewards for novel exploits in this case.

Bug hunters seeking rewards for valid one-day exploits will have to provide a link to the existing patch in their report. Google also said it will be limiting the number of rewards for one-day vulnerabilities to only one version or build.

"There are 12-18 GKE releases per year on each channel, and we have two clusters on different channels, so we will pay the $31,337 base rewards up to 36 times (no limit for the bonuses)," said Eduardo Vela, Product Security Response TL/M at Google. "While we don't expect every upgrade to have a valid 1day submission, we would love to learn otherwise."

Valid exploits for previously unknown zero-day vulnerabilities will nearly double to a maximum reward of $91,337, up from $50,337 previously. Zero-day vulnerabilities typically attract greater rewards because any given vendor would always want to secure the weakness before news of it ever reached cyber criminals.

"We launched an expansion of kCTF VRP on 1 November 2021 in which we paid $31,337 to $50,337 to those that are able to compromise our kCTF cluster and obtain a flag," said Vela. "We increased our rewards because we recognised that in order to attract the attention of the community we needed to match our rewards to their expectations. We consider the expansion to have been a success, and because of that, we would like to extend it even further to at least until the end of the year (2022)."

Related Resource

Vulnerability and patch management

Keep known vulnerabilities out of your IT infrastructure

Whitepaper cover with dark red smoke-like graphic on black backgroundFree Download

An increasing amount of recent research has highlighted cyber criminals' shift in focus towards Linux environments, both in and outside of the cloud. 

Qualys published findings earlier this year regarding a Linux root privilege flaw that went unnoticed for 12 years while "hiding in plain sight", while VMware observed an increasing number of ransomware attacks targeting Linux-based multi-cloud environments last week.

Full details on the reporting process can be found in the Google blog post.

Reward structure

Google will offer a base reward of $31,337 for the first valid exploit for a given vulnerability, zero-day or one-day. This will only be paid once per vulnerability and once per cluster version or build. Duplicate exploits will not be awarded unless it presents a novel exploit chain, Google said.

From there, a total of three bonuses of $20,000 are available depending on the nature of the exploit disclosed. 

  • $20,000 will be awarded if the exploit is a zero-day
  • A further $20,000 will be awarded for exploits that do not require unprivileged user namespaces
  • Another $20,000 is on offer to those who can demonstrate novel exploit techniques. This also applies to duplicate exploits and Google requires a full write-up to qualify as a valid submission
Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Google aims to court US public sector with new division
public sector

Google aims to court US public sector with new division

29 Jun 2022
Google Earth Engine open for business on Google Cloud, in corporate sustainability push
Cloud

Google Earth Engine open for business on Google Cloud, in corporate sustainability push

28 Jun 2022
Apple executive rejoins Google over remote work policy
flexible working

Apple executive rejoins Google over remote work policy

18 May 2022
Here’s the first look at Google’s new Bay View campus
Business operations

Here’s the first look at Google’s new Bay View campus

17 May 2022

Most Popular

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Open source giant Red Hat joins HPE GreenLake ecosystem
automation

Open source giant Red Hat joins HPE GreenLake ecosystem

28 Jun 2022
Carnival hit with $5 million fine over cyber security violations
cyber security

Carnival hit with $5 million fine over cyber security violations

27 Jun 2022