Technology content trusted in North America and globally since 1999
8,160 Reviews & Articles | 61,624 News Posts

Google hands out a large bug-finders fee of $50,000

Google hand out a handsome reward to a Polish security research team as they found flaws in their App Engine developer platform - the highest payment yet
By: Chris Smith | Apps News | Posted: Jan 2, 2015 12:03 am

A group of Polish security researchers have been rewarded with $50,000 from Google, thanks to their investigation and findings of 30 flaws within the Google App Engine developer platform - said to give hackers possible access beyond their own virtual machines.




This flaw was further explained as allowing intruders the ability to bypass the Oracle Java security sandbox.


While in operation, Google detected this research team conducting their tests and locked them out of their Google App Engine account - meaning no more progress could me made. After two weeks Google allowed this team to continue their research, complete their exploration of the GAE flaws and produce a report on the findings. There was one clear-cut rule however, the researchers must limit their work to the Java Virtual Machine (JVM) layer and steer clear from the next sandboxing layer.


This approved work was conducted between the 11th and 21st of December 2014, seeing Google acknowledge the findings - stating that the "security Explorations' report demonstrated that one of company's layers of defence had insufficient mitigations against a certain type of attacks and the auditing of the privileged Java classes were insufficient".


The $50,000 reward was paid under Google's vulnerability reward program (VRP) and this marks the highest cash reward given under this scheme - said to be separate to the Chrome VRP.


Related Tags

Got an opinion on this news? Post a comment below!