Google will pay between $20,000 and $91,337 to researchers who create exploits for vulnerabilities in the Linux kernel, Kubernetes container management system, and Google Cloud’s Kubernetes engine (Kubernetes Engine).
The move is an extension of the three-month bounty program Google launched in November, where rewards were tripled for exploits of new and unknown Linux kernel bugs. The idea was to update new kernel exploitation techniques, especially for services running on Kubernetes in the cloud.
Researchers had to show that they could use the exploit of a given bug to compromise Google’s kCTF (Kubernetes Capture The Flag) cluster and obtain a “flag” – a secret hidden in a program – as part of a competition which, in this case, took place on the Google cluster.
Full of zero-day
Google considered the program a success, so it will extend it at least until the end of 2022. But it also made a number of changes, covering rules, terms and rewards.
First, the maximum reward for a single achievement is increased from $50,337 to $91,377.
Regarding the program’s success to date, Google says it has received nine submissions in the past three months and has paid out over $175,000 in rewards. The submissions included five zero-day or previously unknown vulnerabilities and two exploits for 1-day or recently discovered vulnerabilities. Three have been patched and made public, including CVE-2021-4154, CVE-2021-22600 (patch), and CVE-2022-0185 (writeup), according to Google.
Google changes rewards structure “slightly”
Google is changing the rewards structure “slightly”. It will now pay $31,337 “on the first valid exploit submission for a given vulnerability” and pay nothing for duplicate exploits.
However, it clarifies that certain bounties may still apply to duplicate achievements. These include: $20,000 for exploits involving zero-day vulnerabilities; $20,000 for exploits for vulnerabilities that do not require unprivileged user namespaces (CLONE_NEWUSER); and $20,000 for exploits using new exploitation techniques (previously Google paid nothing for these).
“These changes increase some 1-day exploits to $71,337 (from $31,337), and make the maximum reward for a single exploit $91,337 (from $50,337),” Google notes.
In search of new hacking techniques
Regarding what it considers to be new techniques, Google specifies:
“A novel technique may be the exploitation of previously unknown objects to transform a bounded primitive into a more powerful primitive, such as an arbitrary/out-of-bounds read/write or an arbitrary release. For example, in all of our submissions, researchers have exploited message queues to achieve kernel leaks. »
“We are looking for equally powerful techniques that allow immediate access to the kernel. An example is bypassing a common security mitigation or a technique to exploit a class of vulnerabilities more reliably. »
This Linux kernel exploit bug bounty is a small part of Google’s bug bounty programs covering Android, Chrome and other open source projects. In 2021, Google paid out $8.7 million in rewards, including $2.9 million for Android bugs and $3.3 million for Chrome bugs. Last year’s total rewards increased from $6.7 million in 2020.
Source: ZDNet.com