Google says it’s paying researchers for reporting vulnerabilities in its latest operating systems, including Google Kubernetes Engine (GKE), and that it’s offering bigger bonuses to those who report zero-day bugs and exploits. Google says it increased rewards to match the community’s expectations, but also that “because we consider the program a success,” they’re extending the Vulnerability Reward Program (VRP) through 2023.
No company wants to be at the root cause of a breach, and this is likely one of the motivations behind Google’s decision to increase their reward values. After all, software risk IS business risk. Seeing as Kubernetes is one of the leading orchestration technologies, originally designed by Google, it comes as no surprise that they are also leveraging this technology to run their own cloud operations. With that said, it is a really good idea to incentivise security researchers to find critical vulnerabilities that will eventually help make the software used by Google and its customers, safer. This is something that all organisations should strive for; it is never a bad idea to involve security experts in checking software before it is shipped to customers. Penetration tests, infrastructure checks or even development practices should be under constant testing and review to identify exploitable parts.
Another side to this story might also be the rising dissatisfaction among security experts and white hat hackers that their services are not recognised and valued enough. This theme was quite prominent last year, and also pointed out directly by some over Twitter. Bug bounty programs are a good thing as they lead to the identification of issues in software that might otherwise lead to critical data breaches. Therefore, the participants involved should be valued and paid accordingly. In the end, these individuals are saving organisations, not only their monetary assets, but also their name.