Skip links

Google’s bug bounty boss: Finding and patching vulns? ‘Totally useless’

Simply finding vulnerabilities and patching them “is totally useless,” according to Google’s Eduardo Vela, who heads the cloud giant’s product security response team.

“We don’t care about vulnerabilities; we care about exploits,” he told The Register in an exclusive interview. “We expect the vulnerabilities are there, they will get patched, and that’s nice and all. But the whole idea is what do to beyond just patching a couple of vulnerabilities.”

To this end, Google’s open-source, Kubernetes-based Capture-the-Flag (kCTF) project doesn’t pay researchers a bounty to just find a Linux Kernel vulnerability. Instead, they’ve got to exploit the bug: connect to Google Kubernetes Engine (GKE) instances, hack it, and use the bug to steal the hidden flags. 

The broader community then learns from the exploit and can use this knowledge to try to make the Linux kernel (and the internet in general) more secure. And the bug-hunter potentially earns upwards of $100,000.

“This is why we pay $100,00: It is so much more work, and we learn a lot from these exploits,” Vela said.

Earlier this year, Google increased its reward amounts and today it said it will permanently pay these higher rates – between $20,000 and $91,337 – to researchers who find and exploit on its lab kCTF environment.

This is up from an original $10,000-per-exploit prize pouch, which Vela admitted “did not attract a lot of attention.”

Additionally, as part of the kCTF program, Google is launching new instances with additional bounties to evaluate the latest Linux kernel stable image and experimental mitigations in a custom-built kernel. It will pay an additional $21,000 for exploits that compromise the latest Linux kernel, and that same amount for the experimental mitigations, bringing the total rewards to a maximum of $133,337.

The first set of mitigations target the following exploits: out-of-bounds write on slab, cross-cache attacks, elastic objects and freelist corruption.

And there may be more in the future, according to Vela.

“The whole idea with a VRP is a community effort,” he said, referring to vulnerability rewards programs. In total, Google paid out $8.7 million in rewards to almost 700 researchers across its various VPRs last year.

“We are just one actor in the whole community that happens to have economic resources, financial resources, but we need the community to help us make the Kernel better,” Vela said. “If the community is engaged and helps us validate the mitigations that we have, then, we will continue growing on top of that. But the whole idea is that we need to see where the community wants us to go with this.”

As organizations’ attack surfaces continue to expand, and the threats themselves grow in sophistication and sheer number, private organizations like Google and Microsoft are paying higher bug bounties while an increasing number of public agencies join in the hunt.

On Independence Day, the US Department of Defense kicked off its own program for reports of vulnerabilities in public-facing systems and applications in partnership with bug bounty platform maker HackerOne.

In fact, that vendor’s most recent report found bounty prices for high and critical vulnerabilities are rising as organizations prioritize high-impact bugs.

The median price of a critical bug jumped 20 percent, from $2,500 in 2020 to $3,000 in 2021, according to HackerOne. Meanwhile, the average bounty price for a critical bug increased 13 percent, and 30 percent for a high-severity bug. 

However, it’s not always about the cash payout, according to Vela, and different bug hunters have different motivations. Some want money, some want fame and some just want to solve an interesting problem, Vela said. “We are trying to find the right combination to captivate people.” ®