Google hikes bounty for Linux kernel vulnerabilities

Security Bug
(Image credit: Shutterstock)

Google has announced a three-month Halloween-special bug bounty program that’s designed to help unearth and fix flaws in the Linux (opens in new tab) kernel.

The special program builds on top of the Vulnerability Rewards Program (VRP) announced last year (opens in new tab), with triple the rewards for security researchers.

Google's base rewards for each publicly patched vulnerability is $31,337, capped at one exploit per vulnerability. However, the reward can go up to $50,337 if the bug was otherwise unpatched in the Linux kernel (a zero-day); or if the exploit uses a new attack or technique in Google's view.

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window (opens in new tab) <<

"We are constantly investing in the security of the Linux Kernel because much of the internet, and Google – from the devices in our pockets, to the services running on Kubernetes in the cloud – depend on the security of it," shared (opens in new tab) Eduardo Vela from the Google Bug Hunters Team.

Securing the Linux kernel

Vela adds that while Google spends resources to research the vulnerabilities and attacks (opens in new tab) on the Linux kernel, and has earmarked resources to study and develop the kernel’s defenses (opens in new tab), it is conscious of the fact that it needs to do more.

"We hope the new rewards will encourage the security community to explore new Kernel exploitation techniques to achieve privilege escalation and drive quicker fixes for these vulnerabilities," adds Vela.

Furthermore, the new program complements the VRP rewards for Android (opens in new tab), so exploits that work on the mobile OS are eligible for an additional reward of up to $250,000.

Explaining the mechanics of the initiative, Vela encourages participants to submit a patch (opens in new tab) to fix their reported vulnerability, which will also attract an additional award from Google’s Patch Reward Program.

Vela also suggests that bug hunters report any vulnerabilities upstream as soon as they are discovered, and only share them with Google once they’ve been publicly disclosed and patched.

Researchers are expected to provide the exploit code and the algorithm used to calculate the hash checksum, along with a rough description of the exploit strategy.

To help you run Linux, we’ve rounded up the best Linux laptops (opens in new tab)

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.