Google bug bounties inch nearer to Microsoft’s payouts

Bug hunters who discovered safety holes in Google — and likewise responsibly disclosed particulars of these flaws to the Chocolate Manufacturing unit — earned greater than $12 million in bounty rewards in 2022, marking a report yr for the company’s Vulnerability Reward Applications (VRPs) when it comes to payouts and variety of vulnerabilities discovered and stuck.

In complete, greater than 2,900 safety researchers reported flaws and fixes.

This is a rise from 2021’s vulnerability rewards, which paid out $8.7 million to researchers and likewise broke Google’s earlier information 

For comparability: Microsoft paid $13.7 million in bug rewards unfold out over 335 researchers in 2021, with a $200,000 Hyper-V Bounty payout as its largest prize. Remond hasn’t but introduced its 2022 bug bounties.

On Thursday, Google introduced that Palo Alto Networks Unit 42 analyst Yuval Avrahami took the highest prize: $133,337.

Avrahami discovered a number of vulnerabilities and assault paths in Google Kubernetes Engine (GKE) Autopilot that may enable an attacker to flee their pod, compromise the underlying node, escalate privileges to administrator degree, after which deploy backdoors to keep up this entry.

This led to “a number of hardening enhancements in Autopilot,” in keeping with Google.

Second, third and fourth prize went to Sivanesh Ashok and Sreeram KL. The duo gained $73,331 for his or her report on SSH key injection in Google Compute Engine, and $31,337 for his or her analysis on tips on how to bypass authorization in Google Cloud Workstations and steal a person’s entry token by abusing the format of an OAuth state parameter.

Additionally they acquired $31,311 for a write-up on client-side SSRF to Google Cloud Mission takeover. This could possibly be abused to steal a Vertex AI person’s entry token by tricking them into clicking a malicious hyperlink.

The fifth-place winners, Unit 42’s Yuval Avrahami and Shaul Ben Hai, had been awarded $17,311 for locating privilege escalation vectors in Kubernetes and vulnerabilities in Kubernetes internet hosting suppliers, together with Azure’s AKS, Amazon’s EKS, and Google’s GKE.

A researcher who goes by Obmi gained sixth prize, $13,373, for vulnerabilities in Google Cloud Shell’s file add function that might enable a cross-site scripting assault.

And at last Bugra Eskici acquired $13,337 for reporting a command injection bug in Cloud Shell.

Final yr’s report rewards come as Google elevated its payouts for present vulnerability packages and added new ones, together with one which encourages researchers to report vulnerabilities in open-source tasks with the aim being to enhance software program supply-chain safety.

Introduced final August, the brand new Open Supply Software program Vulnerability Rewards Program (OSS VRP) pays bug hunters between $100 and $31,337 with the very best funds going to “uncommon or significantly attention-grabbing vulnerabilities.” ®