Image: Hinterhaus Productions/ GETTY

Google says it uses Linux in "almost everything" from Chromebooks to the cloud. Now it is increasing its rewards for security researchers who can spot flaws in the open-source operating system.

Since 2020, Google has run an open-source Kubernetes-based Capture-the-Flag (CTF) project called kCTF which allows researchers to connect to its Google Kubernetes Engine (GKE) instances, and try to hack them to capture a flag. Every 'flag' caught so far has been a container breakout through a Linux kernel vulnerability.

Security

• 8 habits of highly secure remote workers
• How to find and remove spyware from your phone
• The best VPN services: How do the top 5 compare?
• How to find out if you are involved in a data breach -- and what to do next

Now Google has built a set of mitigations it believes will make most of the vulnerabilities and exploits it has received this past year more difficult to exploit. 

Google said it is offering up to$133,337 to hackers who can beat these mitigations.

Now it's offering an extra$21,000 for new exploits that compromise the latest Linux kernel and another$21,000 for hackers who can "clearly" bypass its experimental exploit mitigations in its custom instance. This brings total rewards up to a maximum of$133,337. 

The kCTF program emphasizes finding new exploits against the kernel rather than new vulnerabilities. Google is keen to develop protections for the Linux kernel, which is used in Android, Chromebook and in Google Cloud workloads.  

Google is also now offering$20,000 to$91,337 for new kernel exploits indefinitely after introducing this reward range on a temporary basis in February. 

"Rather than simply learning about the current state of the stable kernels, the new instances will be used to ask the community to help us evaluate the value of both our latest and more experimental security mitigations," says Google's Eduardo Vela. 

"With the kCTF VRP program, we are building a pipeline to analyze, experiment, measure and build security mitigations to make the Linux kernel as safe as we can with the help of the security community. We hope that, over time, we will be able to make security mitigations that make exploitation of Linux kernel vulnerabilities as hard as possible."

Google

Every product unveiled at the Made by Google event: Pixel 8 Pro, Watch 2, Assistant, morePixel 8 Pro vs. Pixel 7 Pro: Is it worth the upgrade?Your Pixel Buds Pro are getting a major software upgrade, and it's totally freeHow to preorder the Google Pixel 8, Pixel Watch 2, and Pixel Buds Pro nowChatGPT vs. Bing Chat vs. Google Bard: Which is the best AI chatbot?

• Every product unveiled at the Made by Google event: Pixel 8 Pro, Watch 2, Assistant, more
• Pixel 8 Pro vs. Pixel 7 Pro: Is it worth the upgrade?
• Your Pixel Buds Pro are getting a major software upgrade, and it's totally free
• How to preorder the Google Pixel 8, Pixel Watch 2, and Pixel Buds Pro now
• ChatGPT vs. Bing Chat vs. Google Bard: Which is the best AI chatbot?