Skip to main content

Google hikes bounty for Linux kernel vulnerabilities

Security Bug
(Image credit: Shutterstock)

Google has announced a three-month Halloween-special bug bounty program that’s designed to help unearth and fix flaws in the Linux kernel.

The special program builds on top of the Vulnerability Rewards Program (VRP) announced last year, with triple the rewards for security researchers.

Google's base rewards for each publicly patched vulnerability is $31,337, capped at one exploit per vulnerability. However, the reward can go up to $50,337 if the bug was otherwise unpatched in the Linux kernel (a zero-day); or if the exploit uses a new attack or technique in Google's view.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

"We are constantly investing in the security of the Linux Kernel because much of the internet, and Google – from the devices in our pockets, to the services running on Kubernetes in the cloud – depend on the security of it," shared Eduardo Vela from the Google Bug Hunters Team.

Securing the Linux kernel

Vela adds that while Google spends resources to research the vulnerabilities and attacks on the Linux kernel, and has earmarked resources to study and develop the kernel’s defenses, it is conscious of the fact that it needs to do more.

"We hope the new rewards will encourage the security community to explore new Kernel exploitation techniques to achieve privilege escalation and drive quicker fixes for these vulnerabilities," adds Vela.

Furthermore, the new program complements the VRP rewards for Android, so exploits that work on the mobile OS are eligible for an additional reward of up to $250,000.

Explaining the mechanics of the initiative, Vela encourages participants to submit a patch to fix their reported vulnerability, which will also attract an additional award from Google’s Patch Reward Program.

Vela also suggests that bug hunters report any vulnerabilities upstream as soon as they are discovered, and only share them with Google once they’ve been publicly disclosed and patched.

Researchers are expected to provide the exploit code and the algorithm used to calculate the hash checksum, along with a rough description of the exploit strategy.

To help you run Linux, we’ve rounded up the best Linux laptops

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.