Google almost doubles Linux Kernel, Kubernetes zero-day rewards

Google almost doubles Linux Kernel, Kubernetes zero-day rewards

Google says it bumped up rewards for reports of Linux Kernel, Kubernetes, Google Kubernetes Engine (GKE), or kCTF vulnerabilities by adding bigger bonuses for zero-day bugs and exploits using unique exploitation techniques.

“We increased our rewards because we recognized that in order to attract the attention of the community we needed to match our rewards to their expectations,” Google Vulnerability Matchmaker Eduardo Vela explained.

“We consider the expansion to have been a success, and because of that we would like to extend it even further to at least until the end of the year (2022).”

While initially announced in November that reports of critical vulnerabilities will get rewards of up to $50,337 depending on their severity, Google now increased the maximum reward to $91,337.

Getting the maximum amount of money for an exploit depends on several conditions, including if they are zero-days (unknown bugs without a security patch), if they do not require unprivileged user namespaces, and if they use novel exploit techniques.

Each of them comes with a $20,000 bonus that could bring the value of a first valid exploit submission up to $91,337.

“These changes increase some 1day exploits to 71,337 USD (up from 31,337 USD), and makes it so that the maximum reward for a single exploit is 91,337 USD (up from 50,337 USD),” Vela explained.

“We also are going to pay even for duplicates at least 20,000 USD if they demonstrate novel exploit techniques (up from 0 USD). However, we will also limit the number of rewards for 1days to only one per version/build.”

While Google will not pay for duplicate exploits of the same security flaw, the company says that bonuses for novel exploit techniques will still apply, which means that researchers could still get $20,000 for duplicates.

$175,000 paid in the last three months

Since November, Google has paid more than $175,000 for nine different submissions, including five zero-days and two 1-days.

Google says it already fixed three out of these nine vulnerabilities: CVE-2021-4154, CVE-2021-22600 (patch), and CVE-2022-0185 (writeup).

“These three bugs were first found by Syzkaller, and two of them had already been fixed on the mainline and stable versions of the Linux Kernel at the time they were reported to us,” Vela added.

As Google revealed in July 2021, since launching its first VRP over ten years ago, it has rewarded more than 2,000 security researchers from 84 different countries for reporting roughly 11,000 bugs.

All in all, Google said that researchers had earned over $29 million since January 2010, when the Chromium vulnerability reward program was launched.

In the Vulnerability Reward Program: 2021 Year in Review report published last week, the company said that it awarded a record-breaking $8,700,000 in rewards in 2021, including the highest payout in Android VRP history: a $157,000 exploit chain.