Security News > 2023 > June > Google bug bounties inch closer to Microsoft's payouts
Bug hunters who found security holes in Google - and also responsibly disclosed details of those flaws to the Chocolate Factory - earned more than $12 million in bounty rewards in 2022, marking a record year for the corporation's Vulnerability Reward Programs in terms of payouts and number of vulnerabilities found and fixed.
Avrahami found several vulnerabilities and attack paths in Google Kubernetes Engine Autopilot that would allow an attacker to escape their pod, compromise the underlying node, escalate privileges to administrator level, and then deploy backdoors to maintain this access.
Second, third and fourth prize went to Sivanesh Ashok and Sreeram KL. The duo won $73,331 for their report on SSH key injection in Google Compute Engine, and $31,337 for their research on how to bypass authorization in Google Cloud Workstations and steal a user's access token by abusing the format of an OAuth state parameter.
The fifth-place winners, Unit 42's Yuval Avrahami and Shaul Ben Hai, were awarded $17,311 for finding privilege escalation vectors in Kubernetes and vulnerabilities in Kubernetes hosting providers, including Azure's AKS, Amazon's EKS, and Google's GKE. A researcher who goes by Obmi won sixth prize, $13,373, for vulnerabilities in Google Cloud Shell's file upload feature that could allow a cross-site scripting attack.
Last year's record rewards come as Google increased its payouts for existing vulnerability programs and added new ones, including one that encourages researchers to report vulnerabilities in open-source projects with the goal being to improve software supply-chain security.
Announced last August, the new Open Source Software Vulnerability Rewards Program pays bug hunters between $100 and $31,337 with the highest payments going to "Unusual or particularly interesting vulnerabilities." .
News URL
https://go.theregister.com/feed/www.theregister.com/2023/06/24/google_bug_bounties_2022/