Google has almost doubled its rewards for vulnerabilities in the Linux kernel, Kubernetes, Google Kubernetes Engine (GKE), and kCTF. The reward can now be up to $91,337.
In November last year, Google already increased the size of payments: then the company tripled rewards for exploits for previously unknown bugs in the Linux kernel. The idea was that people would be able to discover new ways to exploit the kernel, in particular related to Kubernetes running in the cloud. Then the researchers were asked to compromise the Google kCTF (Kubernetes Capture The Flag) cluster and get a “flag” in the context of the competition.
NOTE: Let me remind you that we wrote that Apple paid $100,000 for macOS camera and microphone hack, and also that Zerodium offers up to $400,000 for exploits for Microsoft Outlook.
Google reports that the bug-finding program has been a success, receiving nine reports in three months and disbursing more than $175,000 to researchers. During this time, five 0-day vulnerabilities and two exploits for fresh 1-day bugs were discovered. According to Google, thanks to the bug bounty, three of these issues have already been fixed and detailed, including CVE-2021-4154, CVE-2021-22600 (patch), and CVE-2022-0185 (report).
As a result, the program will be extended until at least the end of 2022, and will also undergo a number of changes. Whereas in November it was decided that experts would receive a reward of up to $50,337 for critical vulnerabilities (depending on the severity of the problem), the maximum reward has now been increased to $91,337.
The sum of payments depends on several factors: whether the problem found is a 0-day vulnerability, whether it requires unprivileged user namespaces, whether it uses some new methods of exploitation. Each of these points comes with a bonus of $20,000, which ultimately raises the payout for a working exploit to $91,337.