Google Cloud Platform – Vulnerability Reward Program (VRP)

Google announced a yearly Google Cloud Platform (GCP) VRP Prize to promote security research of GCP. Since then, google received many interesting entries as part of this new initiative from the security research community. Google announcing the winner as well as several updates to google program for 2020.
After careful evaluation of all the submissions, here google announce winner of the 2019 GCP VRP prize: Wouter ter Maat, who submitted a write-up about Google Cloud Shell vulnerabilities. You can read his winning write-up here.
There were several other excellent reports submitted to our GCP VRP in 2019. To learn more about them watch this video by LiveOverflow, which explains some of the top submissions in detail.
To encourage more security researchers to look for vulnerabilities in GCP and to better reward our top bug hunters, google tripling the total amount of the GCP VRP Prize this year. Google will pay out a total of $313,337 for the top vulnerability reports in GCP products submitted in 2020. The following prize amounts will be distributed between the top 6 submissions:

  • 1st prize: $133,337
  • 2nd prize: $73,331
  • 3rd prize: $73,331
  • 4th prize: $31,337
  • 5th prize: $1,001
  • 6th prize: $1,000

These prizes are only for vulnerabilities found in GCP products. If you have budget constraints regarding access to testing environments, you can use the free tier of GCP. Note that this prize is not a replacement of google Vulnerability Reward Program (VRP), and that we will continue to pay security researchers under the VRP for disclosing security issues that affect Google services, including GCP. Complete details, terms and conditions about the prize can be found here.

Make sure to nominate your VRP reports and write-ups for the 2020 GCP VRP prize here before December 31, 2020 at 11:59 GMT.