We first introduced the GCP VRP Prize in 2019 to encourage safety researchers to deal with the safety of GCP, in flip serving to us make GCP safer for our customers, prospects, and the web at giant. Even 3 years into this system, the submissions we’re getting by no means stop to amaze us. After cautious analysis of the submissions, we’re excited to announce the 2021 winners:
First Prize, $133,337: Sebastian Lutz for the report and write-up Bypassing Id-Conscious Proxy. Sebastian’s glorious write-up outlines how he discovered a bug in Id-Conscious Proxy (IAP) which an attacker might have exploited to achieve entry to a consumer’s IAP-protected sources by making them go to an attacker-controlled URL and stealing their IAP auth token.
Second Prize, $73,331: Imre Rad for the report and write-up GCE VM takeover through DHCP flood. The flaw described within the write-up would have allowed an attacker to achieve entry to a Google Compute Engine VM by sending malicious DHCP packets to the VM and impersonating the GCE metadata server.
Third Prize, $73,331: Mike Brancato for the report and write-up Distant Code Execution in Google Cloud Dataflow. Mike’s write-up describes how he found that Dataflow nodes had been exposing an unauthenticated Java JMX port and the way an attacker might have exploited this to run arbitrary instructions on the VM below some configurations.
Fourth Prize, $31,337: Imre Rad for the write-up The Speckle Umbrella story — half 2 which particulars a number of vulnerabilities that Imre present in Cloud SQL.
(Keep in mind, you may make a number of submissions for the GCP VRP Prize and be eligible for multiple prize!)
Fifth Prize, $1,001: Anthony Weems for the report and write-up Distant code execution in Managed Anthos Service Mesh management airplane. Anthony discovered a bug in Managed Anthos Service Mesh and got here up with a intelligent exploit to execute arbitrary instructions authenticated as a Google-managed per-project service account.
Sixth Prize, $1,000: Ademar Nowasky Junior for the report and write-up Command Injection in Google Cloud Shell. Ademar discovered a technique to bypass among the validation checks carried out by Cloud Shell. This is able to have allowed an attacker to run arbitrary instructions in a consumer’s Cloud Shell session by making them go to a maliciously crafted hyperlink.
Congratulations to all of the winners!
Here is a video that with extra particulars about every of the successful submissions:
New Particulars About 2022 GCP VRP
We pays out a complete of $313,337 to the highest seven submissions within the 2022 version of the GCP VRP Prize. Particular person prize quantities will probably be as follows:
- 1st prize: $133,337
- 2nd prize: $73,331
- third prize: $31,337
- 4th prize: $31,311
- fifth prize: $17,311
- sixth prize: $13,373
- seventh prize: $13,337
If you’re a safety researcher, this is how one can enter the competitors for the GCP VRP Prize 2022:
- Discover a vulnerability in a GCP product (try Google Cloud Free Program to get began).
- Report it to bughunters.google.com. Your bug must be awarded a monetary reward to be eligible for the GCP VRP Prize (the GCP VRP Prize cash will probably be along with what you acquired to your bug!).
- Create a public write-up describing your vulnerability report. One of many targets behind the GCP VRP Prize is to advertise open analysis into cloud safety.
- Submit it right here.
Be sure to submit your VRP stories and write-ups earlier than January 15, 2023 at 23:59 PT. VRP stories which had been submitted in previous years however fastened solely in 2022 are additionally eligible. You possibly can try the official guidelines for the prize right here. Good luck!