Google extends exploit bounty program, raises rewards

Google announced that its three-month bounty program for exploits of flaws in the Kubernetes container management system, the Linux kernel and Google Cloud's Kubernetes Engine is being extended to the end of the current year at the earliest and that the reward for a confirmed exploit has been raised to a maximum of $91,377, from $50,337 previously, according to ZDNet. The move comes as Google declares the current program a success, having received nine submissions during the period and awarding a total of $175,000 to five zero-day vulnerabilities and two exploits for flaws that have only recently been discovered. Google said it has made public and patched three of those vulnerabilities. Google initially required researchers to demonstrate the use of an exploit for a given vulnerability to breach its Kubernetes Capture The Flag cluster and retrieve a flag, or a hidden secret in the program, within the context of the event. The company said the extension will feature a few changes to the rules, saying it will pay out $31,337 "to the first valid exploit submission for a given vulnerability" and will not award those who present duplicate exploits, though bonuses may be awarded in certain cases.