Google is upping its Linux bug bounty prize

Linux penguin logo on wood.
(Image credit: Pixabay)

White hat hackers and other bounty hunters rejoice - Google has just significantly raised the prizes for discovering zero-day and one-day vulnerabilities on Linux-powered endpoints.

In a blog post by Vulnerability Matchmaker Eduardo Vela, it says that Google was recently forced to up the ante “to match our rewards to the expectations” of the Linux community. As the move turned out to be a success, the company has now decided to extend it until the end of the year.

That being said, until December 31 2022, Google will pay anywhere between $20,000 and $91,337 for exploits of vulnerabilities in the Linux Kernel, Kubernetes, GKE, or kCTF, that are exploitable in its test lab.

L33T sp33k

For those wondering why $91,337, and not 90,000, 91,000, or any other round number - 1337 is also known as “Leet speek”, or “elite speak” - the language of the hacking and gaming communities. This is the community that often shortens words and replaces letters with numbers, so “elite” will become “1337”, 

So, what exactly did Google do? 

  • Reporting a zero-day vulnerability will not require including a flag at first, to prevent leaking the exploit to other participants.
  • Reporting a one-day will require including a link to the patch.
  • Participants will be able to submit the exploit in the same form they submit the flag
  • Google is now running two clusters, one on the REGULAR release channel and one on the RAPID release channel, to provide more flexibility
  • $31,337 will go to the first valid exploit submission for a given vulnerability
  • $0 will go for duplicate exploits for the same vulnerability
  • $20,000 will go for exploits for zero-day vulnerabilities
  • $20,000 will also go for exploits for vulnerabilities that do not require unprivileged user namespaces (CLONE_NEWUSER)
  • The same reward will be given out for exploits using novel exploit techniques

“These changes increase some one-day exploits to $71,337 USD (up from $31,337), and make it so that the maximum reward for a single exploit is $91,337 USD (up from $50,337),” Google explained. 

“We also are going to pay even for duplicates at least $20,000 if they demonstrate novel exploit techniques (up from $0). However, we will also limit the number of rewards for one-days to only one per version/build.”

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.