



Google has launched a special three-month bug bounty for flaws in the Linux kernel, giving security researchers a triple reward.

The new bounty announced this week aims to enhance the Linux kernel in certain edge cases. We are offering up to $ 31,337 (Leet) to security researchers who can exploit privilege escalation in Google’s lab environment using a patched vulnerability. Also, $ 50,337 for those who haven’t been published before, who have found a zero-day flaw, or who have discovered a new exploit method.

Eduardo Vela of the Google Bug Hunters team said: ..

Incubated as a hobby by Linus Torvalds in Helsinki 30 years ago, the Linux kernel now powers most top websites and Internet infrastructure, from AWS to Microsoft Azure, Google, Facebook, and Wikipedia.

Google’s base reward for each publicly patched vulnerability is $ 31,337, up to one exploit per vulnerability. However, if the bug is not patched in the Linux kernel (zero-day), the reward can be up to $ 50,337. Or if the exploit is using a new attack or technique in Google’s view.

“We hope that the new rewards will allow the security community to explore new kernel exploit methods, achieve privilege escalation, and fix these vulnerabilities more quickly,” Vela said.

“The simplest exploit primitives aren’t available in the lab environment because of the enhancements in the container-optimized operating system,” he adds. This is a Chromium-based OS for Google Compute Engine virtual machines built to run in Docker containers.

However, this three-month bounty complements Android’s VRP rewards, so exploits that work on Android may also be eligible for up to $ 250,000 (which will be added to this program).

The Google environment has some specific requirements demonstrated by Google security engineer Andy Nguyen, who discovered the 15-year-old BleedingTooth bug (CVE-2021-22555) on the Linux Bluetooth stack.

This bug is a write vulnerability outside the Linux Netfilter heap, bypassing all the latest security mitigations, enabling kernel code execution, and the kCTF (Capture the Flag) cluster used for security competition. I was able to break the Kubernetes pod isolation. Nguyen details his work in an article on GitHub.

Vela recommends that participants also include the patch if they require additional cash through the Patch Rewards Program.

Given the nature of open source software development, Google states that it does not want to receive details about unpatched vulnerabilities before they are published and patched. Researchers need to provide the algorithms used to calculate exploit codes and identifiers. However, I would like to receive a rough explanation of the exploit strategy.

