Google says it uses Linux in “almost everything” from Chromebooks to the cloud. Now it is increasing its rewards for security researchers who can spot flaws in the open-source operating system.
Since 2020, Google has run an open-source Kubernetes-based Capture-the-Flag (CTF) project called kCTF which allows researchers to connect to its Google Kubernetes Engine (GKE) instances, and try to hack them to capture a flag. Every ‘flag’ caught so far has been a container breakout through a Linux kernel vulnerability.
Now Google has built a set of mitigations it believes will make most of the vulnerabilities and exploits it has received this past year more difficult to exploit.
Google said it is offering up to $133,337 to hackers who can beat these mitigations.
Now it’s offering an extra $21,000 for new exploits that compromise the latest Linux kernel and another $21,000 for hackers who can “clearly” bypass its experimental exploit mitigations in its custom instance. This brings total rewards up to a maximum of $133,337.
The kCTF program emphasizes finding new exploits against the kernel rather than new vulnerabilities. Google is keen to develop protections for the Linux kernel, which is used in Android, Chromebook and in Google Cloud workloads.
Google is also now offering $20,000 to $91,337 for new kernel exploits indefinitely after introducing this reward range on a temporary basis in February.
“Rather than simply learning about the current state of the stable kernels, the new instances will be used to ask the community to help us evaluate the value of both our latest and more experimental security mitigations,” says Google’s Eduardo Vela.
“With the kCTF VRP program, we are building a pipeline to analyze, experiment, measure and build security mitigations to make the Linux kernel as safe as we can with the help of the security community. We hope that, over time, we will be able to make security mitigations that make exploitation of Linux kernel vulnerabilities as hard as possible.”