TECH NEWS

Google told researcher 'Nice catch!' Then denied bug bounty for flaw it still hasn't fixed

https://image.theregister.com/5258119.jpg?imageId=5258119&x=0&y=0&cropw=100&croph=100&panox=0&panoy=0&panow=100&panoh=100&width=1200&height=683

EXCLUSIVE Google has a security hole in a Kubernetes operator that could allow attackers to bypass Google Cloud Platform (GCP) identity and access protections and gain full control over any organization's cloud environment. Or it has a serious communication and transparency problem when it comes to its bug bounty programs.

Maybe both.

Researcher and frequent cloud bug hunter Justin O'Leary told us that he found and reported to Google a major flaw that allows any Kubernetes namespace user to bypass GCP's Identity and Access Management (IAM) controls and therefore gain root access to managing an organization's cloud resources.

Google initially rated the bug high priority and high severity, with a rep telling O'Leary "Nice Catch!" Then, the cloud giant changed course and told O'Leary and The Register that there's no vulnerability, so no fix and no reward payout.

The bug report, however, is still marked high-priority and accepted.

O'Leary spoke...

Copyright of this story solely belongs to theregister.com. To see the full text click HERE

Read more