Google hands out largest-ever VRP bug bounty

Google has handed a team of Polish security researchers US$50,000 (A$61,000) cash as a reward for uncovering a series of vulnerabilities inside the Google App Engine developer platform, which had the potential to allow intruders access beyond their own virtual machines.

Earlier this month, Security Explorations claimed it had uncovered as many as 30 flaws in the platform-as-a-service offering, which its said could allow attackers to bypass the Oracle Java security sandbox. 

But before they could gauge the full extent of the flaw, the researchers were detected by Google security systems and locked out of their Google App Engine account, preventing any further inquiry.

In the weeks following, however, Google gave the team the “green light” to complete its exploration of the GAE flaws, and to compile a report on their findings, as long as they limited their work to the Java Virtual Machine (JVM) layer and not to the next sandboxing layer.

The team re-started their work on 11 December and have since reported that they were able to narrow the list down to 21 security issues “confirmed in production”, including additional flaws found in the core GAE Java security layer.

It said that Google has acknowledged that “Security Explorations' report demonstrated that one of company's layers of defence had insufficient mitigations against a certain type of attacks and the auditing of the privileged Java classes were insufficient”. Google has reportedly already fixed the flaws that both parties have been able to agree upon, and remains in discussion with Security Explorations about a handful of others.

The effort has also resulted in a US$50,000 cash reward under Google’s vulnerability reward program (VRP), the highest bounty ever paid out under the scheme, which is separate to the Chrome VRP.

Security Explorations has in turn congratulated the web giant for “setting high standards when it comes to the support and appreciation of an externally conducted security research”.