Google has announce the winners of its $313,337 2020 Google Cloud Platform (GCP) bug bounty prize that was split among just six security researchers.
This was the second year Google has run the GCP vulnerability reward program and offered six researchers a share of $313,337, or triple the $100,000 pool it created for the 2019 program. The prizes go to researchers who've submitted reports on exceptional security flaws in GCP. So this isn't a reward for a bug bounty, but an additional prize and recognition for submissions to Google's vulnerability reward program.
The first prize of an impressive $133,337 in the 2020 GCP program went to Ezequiel Pereira, a Uruguayan university student and security enthusiast, who found a remote code execution (RCE) flaw in the Google Cloud Deployment Manager.
SEE: Security Awareness and Training policy (TechRepublic Premium)
Google paid the $133,337 prize to Pereira on top of a $31,337 reward for the original report he submitted last year, meaning he's landed $164,674 for this one report.
"The bug discovered by Ezequiel allowed him to make requests to internal Google services, authenticated as a privileged service account," writes Harshvardhan Sharma, an information security engineer at Google. It is a server-side request forgery (SSRF) attack.
Pereira started exploring Deployment Manager API methods by enabling it on the Google Cloud Console. From there he went to the metrics page of the console and looked at the Filters section to view a a list called Methods, where he found two documented API versions called "v2" and "v2beta", and also two undocumented API versions called "alpha" and "dogfood".
The "dogfood" API piqued his interest because he knew Google uses the term "dogfooding" for its own teams using their software products internally before releasing them to the public.
The second prize of $73,331 went to David Nechuta for another SSRF bug in Google Cloud Monitoring that could be used to leak the authentication of the service account used for the service's uptime check feature. The prize is on top of $31,000 he received for the original report.
The third prize of $73,331 was awarded to Dylan Ayrey and Allison Donovan for the report and write-up Fixing a Google Vulnerability. They pointed out issues in the default permissions associated with some of the service accounts used by GCP services.
Other recipients included Bastien Chatelard for his report and write-up Escaping GKE gVisor sandboxing using metadata; Brad Geesaman for his report and write-up CVE-2020-15157 "ContainerDrip" Write-up; and Chris Moberly for the report and write-up Privilege Escalation in Google Cloud Platform's OS Login.