The internet giant Google is one of the companies paying the ethical hackers for the vulnerabilities they find, depending on the severity and the product they are found on. Now, the company has announced that they are further increasing the bounty rewards related to the Linux kernel, Google Kubernetes Engine (GKE), and kCTF when they are found as zero-day vulnerabilities.
Rewards go up to $91,337
In Google’s announcement, it looks like a temporary increase in the rewards since the announcement starts with “Until December 31, 2022…”. This might either indicate the bonus bounty reward time will end at the end of the year, or Google might increase the bounties even further. The company states that they have made those decisions based on the last 3 months; which starts with the kCTF VRP expansion program on November 1.
Looking at the rewards, the first valid exploit submission for a given vulnerability rewards the hacker with $31,337 but no reward for duplicate exploits. However, duplicates will still be able to get the bonus rewards. The bonuses can be seen below, each adding $20.000 to the reward:
- Exploits for 0day vulnerabilities. This will only be paid once per vulnerability to the first valid exploit submission.
- Exploits for vulnerabilities that do not require unprivileged user namespaces (CLONE_NEWUSER). This will only be paid once per vulnerability to the first valid exploit submission.
- Exploits using novel exploit techniques. This is a bonus in addition to the base rewards (applies for duplicate exploits). To qualify for this additional reward please send us a write-up explaining it.
The company has paid more than $175,000 in the last three months as bounties for 5 zero-day and 2 one-day vulnerabilities. Google has paid for the bugs found on its web browser software, Chrome, as well.