Google announced the expansion of the initiative to pay cash rewards for identifying security issues in the Linux kernel, the Kubernetes container orchestration platform, the GKE (Google Kubernetes Engine) engine and the kCTF (Kubernetes Capture the Flag) vulnerability competition environment.
The bounty program includes an additional $20 bonus for 0-day vulnerabilities, for exploits that do not require support for user namespaces (user namespaces), and for demonstrating new exploitation methods. The base payout for demonstrating a working exploit in the kCTF is $31337 (the base payout goes to the participant who first demonstrates a working exploit, but bonus payouts can be applied to subsequent exploits for the same vulnerability).
In total, taking into account bonuses, the maximum reward for a 1-day exploit (problems identified based on the analysis of bug fixes in the codebase that are not explicitly marked as vulnerabilities) can reach up to $71337 (was $31337), and for 0-day (problems not yet fixed) - $91337 (was $50337). The payment program will be valid until December 31, 2022.
It is noted that over the past three months, Google has processed 9 applications with information about vulnerabilities, for which 175 thousand dollars were paid. The participating researchers prepared five exploits for 0-day vulnerabilities and two for 1-day vulnerabilities. Three issues already fixed in the Linux kernel (CVE-2021-4154 in cgroup-v1, CVE-2021-22600 in af_packet and CVE-2022-0185 in VFS) have been publicly disclosed (these issues have already been identified through Syzkaller and for fixes were added to the kernel two breakdowns).
Source: opennet.ru