We first introduced the GCP VRP Prize in 2019 to encourage safety researchers to deal with the safety of GCP, in flip serving to us make GCP safer for our customers, clients, and the web at giant. Even 3 years into this system, the submissions we’re getting by no means stop to amaze us. After cautious analysis of the submissions, we’re excited to announce the 2021 winners:
First Prize, $133,337: Sebastian Lutz for the report and write-up Bypassing Id-Conscious Proxy. Sebastian’s glorious write-up outlines how he discovered a bug in Id-Conscious Proxy (IAP) which an attacker might have exploited to realize entry to a person’s IAP-protected assets by making them go to an attacker-controlled URL and stealing their IAP auth token.
Second Prize, $73,331: Imre Rad for the report and write-up GCE VM takeover by way of DHCP flood. The flaw described within the write-up would have allowed an attacker to realize entry to a Google Compute Engine VM by sending malicious DHCP packets to the VM and impersonating the GCE metadata server.
Third Prize, $73,331: Mike Brancato for the report and write-up Distant Code Execution in Google Cloud Dataflow. Mike’s write-up describes how he found that Dataflow nodes have been exposing an unauthenticated Java JMX port and the way an attacker might have exploited this to run arbitrary instructions on the VM underneath some configurations.
Fourth Prize, $31,337: Imre Rad for the write-up The Speckle Umbrella story — half 2 which particulars a number of vulnerabilities that Imre present in Cloud SQL.
(Keep in mind, you can also make a number of submissions for the GCP VRP Prize and be eligible for a couple of prize!)
Fifth Prize, $1,001: Anthony Weems for the report and write-up Distant code execution in Managed Anthos Service Mesh management airplane. Anthony discovered a bug in Managed Anthos Service Mesh and got here up with a intelligent exploit to execute arbitrary instructions authenticated as a Google-managed per-project service account.
Sixth Prize, $1,000: Ademar Nowasky Junior for the report and write-up Command Injection in Google Cloud Shell. Ademar discovered a option to bypass a number of the validation checks completed by Cloud Shell. This could have allowed an attacker to run arbitrary instructions in a person’s Cloud Shell session by making them go to a maliciously crafted hyperlink.
Congratulations to all of the winners!
This is a video that with extra particulars about every of the successful submissions:
New Particulars About 2022 GCP VRP
We pays out a complete of $313,337 to the highest seven submissions within the 2022 version of the GCP VRP Prize. Particular person prize quantities will likely be as follows:
- 1st prize: $133,337
- 2nd prize: $73,331
- third prize: $31,337
- 4th prize: $31,311
- fifth prize: $17,311
- sixth prize: $13,373
- seventh prize: $13,337
In case you are a safety researcher, here is how one can enter the competitors for the GCP VRP Prize 2022:
- Discover a vulnerability in a GCP product (try Google Cloud Free Program to get began).
- Report it to bughunters.google.com. Your bug must be awarded a monetary reward to be eligible for the GCP VRP Prize (the GCP VRP Prize cash will likely be along with what you obtained in your bug!).
- Create a public write-up describing your vulnerability report. One of many targets behind the GCP VRP Prize is to advertise open analysis into cloud safety.
- Submit it right here.
Ensure that to submit your VRP reviews and write-ups earlier than January 15, 2023 at 23:59 PT. VRP reviews which have been submitted in previous years however fastened solely in 2022 are additionally eligible. You possibly can try the official guidelines for the prize right here. Good luck!
