Google pays $100k USD to an infosec researcher for reporting vulnerability in GCP

This is further evidence on the importance of the work of ethical hackers and vulnerability reporting platforms. Wouter ter Maat, a specialist in cloud computing security, was rewarded by Google thanks to his report on a critical vulnerability in Google Cloud Platform (GCP).

The GCP Vulnerability Reward Program was created in 2019, in an attempt by the company to incentivize research work on its cloud computing platform, offering rewards of up to $100k USD for critical security reports.

Google recently revealed that dozens of reports of consideration were received, although among them all, the one sent by ter Maat was selected to receive the first place. The researcher, of Dutch origin, focused on the presence of four security flaws in Google Cloud Shell; one of these flaws abused the “Open in Cloud Shell” feature, which would allow cloning of repositories hosted on GitHub or Bitbucket.

The cloud computing security expert demonstrated how a malicious image of the specially crafted Cloud Shell can be used to gain unauthorized access to GCP resources. Subsequently, ter Maat detailed the way in which a flaw in the Mercurial/HG client path check logic would allow a threat actor to write files outside the repository’s boundaries: “If you can compromise or access another user’s Cloud Shell, it is possible to access all of the target’s resources,” the researcher says.

Wouter ter Maat, explaining his vulnerability report

Google acknowledged the validity and seriousness of the report, so it awarded ter Maat the $100k USD bounty: “Google contacted me in early February to let me know that my research was one of the three main contenders to receive the reward; two weeks later I received the news that I was the winner,” the cloud computing security expert excitedly said.

In this regard, ter Maat assures that this is an incentive to continue verifying security in Google and other tech companies’ deployments. The GCP bounty program for 2020 will increase prizes, offering the winner up to $130k USD.

The International Institute of Cyber Security (IICS) stresses the importance of vulnerability bounty programs, which nurture the work of the cybersecurity community, while providing competitive incentives to prevent exploits reach the black market of hacking.