Google Denies Bounty for Critical Kubernetes Vulnerability After Initial 'Nice Catch' Response
Key Takeaways
- ▸Google's Config Connector has a critical authorization bypass flaw that could give attackers root access to entire GCP organizations
- ▸Google initially praised the researcher's discovery as a 'Nice Catch' before reversing course and denying the bounty based on a claim the software is 'working as intended'
- ▸The vulnerability remains P1/S1 priority but unfixed after three months, with no CVE assigned or security advisory issued
Summary
Security researcher Justin O'Leary discovered ConfigConfusion, a critical vulnerability in Google's Config Connector—an open-source Kubernetes add-on for managing Google Cloud resources. The flaw allows any Kubernetes namespace user to bypass Google Cloud Platform's Identity and Access Management (IAM) controls and gain full administrative access to an entire GCP organization.
Google's response was initially promising. On March 27, a Google security engineer accepted the report and praised O'Leary with "Nice Catch!" The company assigned the bug P1 (highest priority) and S1 (highest severity) ratings, signaling an urgent fix was needed. However, on April 7—just eleven days later—Google reversed course entirely, claiming the software is "working as intended" and denying the bug bounty payout.
Nearly three months after the initial report, the vulnerability remains unfixed, unpatched, and without a CVE assignment. The bug report status remains P1/S1 "in progress (accepted)," creating a paradoxical situation where Google treats the flaw as simultaneously critical and non-existent. O'Leary notes this follows a troubling pattern with major tech companies, including his experience with Microsoft's silent patching of an Azure vulnerability without public disclosure or researcher recognition.
- Security researchers report a troubling pattern of major tech companies retroactively dismissing critical vulnerabilities to avoid bounty payouts and public disclosure
Editorial Opinion
Google's handling of this vulnerability exposes a fundamental problem in corporate bug bounty programs: they operate as discretionary PR exercises rather than genuine commitments to security research. When a company can simultaneously claim a flaw is 'working as intended' while keeping it marked as P1/S1 priority, the system has lost credibility. This dynamic—combined with concurrent incidents at Microsoft—suggests trillion-dollar cloud providers are choosing reputational comfort over security transparency, ultimately undermining the entire security research ecosystem that protects their customers.
