During the last months Google has paid special attention to security issues found in the kernel Linux and KubernetesAs in November last year, Google increased the size of payouts as the company tripled exploit bounties for previously unknown bugs in the Linux kernel.
The idea was that people could discover new ways to exploit the kernel, particularly in relation to Kubernetes running in the cloud. Google now reports that the bug-finding program has been a success, receiving nine reports in three months and disbursing more than $175,000 to researchers.
And it is that through a blog post Google again released an announcement about the expansion of the initiative to pay cash rewards for identifying security issues in the Linux kernel, Kubernetes container orchestration platform, Google Kubernetes Engine (GKE), and Kubernetes Capture the Flag (kCTF) vulnerability competition environment.
The post mentions that now the rewards program includes an additional bonus $20,000 for zero-day vulnerabilities for exploits that do not require user namespace support and for demonstrating new exploit techniques.
The base payout for demonstrating a working exploit at the kCTF is $31 (the base payout is awarded to the entrant who first demonstrates a working exploit, but bonus payouts can be applied to subsequent exploits for the same vulnerability).
We increased our rewards because we recognized that in order to attract the attention of the community we needed to match our rewards with their expectations. We consider the expansion to have been a success, and so we would like to extend it further at least until the end of the year (2022).
Over the last three months, we've received 9 submissions and paid over $175 so far.
In the publication we can see that total, taking into account the bonuses, the maximum reward for an exploit (issues identified based on analysis of bug fixes in the code base that are not explicitly marked as vulnerabilities) can reach up to $71 (previously the highest reward was $31), and for a zero-day problem (problems for which there is no solution yet) up to $337 is paid (previously the highest reward was $91,337). The payment program will be valid until December 31, 2022.
It is noteworthy that in the last three months, Google has processed 9 requests cwith information on vulnerabilities, for which 175 thousand dollars were paid.
Participating researchers prepared five exploits for zero-day vulnerabilities and two for 1-day vulnerabilities. Three fixed issues in the Linux kernel have been publicly disclosed (CVE-2021-4154 in cgroup-v1, CVE-2021-22600 in af_packet and CVE-2022-0185 in VFS) (these issues have already been identified via Syzkaller and for two bug fixes were added to the kernel).
These changes increase some 1-day exploits to $71 (vs. $337) and make the maximum reward for a single exploit $31 (vs. $337). We will also pay even for duplicates at least $91 if they demonstrate novel exploit techniques (instead of $337). However, we will also limit the number of rewards for 50 day to just one per version/build.
There are 12-18 GKE releases per year on each channel, and we have two groups on different channels, so we will pay the base rewards of 31 USD up to 337 times (no limit for bonuses). While we don't expect every update to have valid 36-day shipping, we'd love to hear otherwise.
As such it is mentioned in the announcement that the sum of the payments depends on several factors: if the problem found is a zero-day vulnerability, if it requires non-privileged user namespaces, if it uses some new exploitation methods. Each of these points comes with a bonus of $ 20,000, which ultimately raises the payment for a working exploit to $ 91,337.
Finally sIf you are interested in knowing more about it about the note, you can check the details in the original post In the following link.