Critical Thinking - Bug Bounty Podcast Episode 159: Avoiding Downgrades on Google Cloud VRP with Cote and Darby Hopkins
Jan 29, 2026
Michael Cote, a Google Cloud VRP operations engineer who runs live hacking events, and Darby Hopkins, a VRP policy and rewards specialist, share inside perspectives. They discuss the Sunnyvale bug‑swat highlights, why reward tiers and severity categories changed, how the panel process and routing work, and practical tips to configure tests and avoid downgrades.
AI Snips
Chapters
Transcript
Episode notes
Huge Cloud Bug Swat Success
- The June bug swat produced 160 reports and $1.6M in rewards from a four-week submission window. Google brought product teams and credentials which enabled many high-impact findings like RCEs and privilege escalation.
One Chain Multiplied Rewards
- One researcher (Jakub Domeracki) proved a chain that enabled impersonation of a higher-privileged server account, and multiple researchers benefited. His complete chain moved many reports from low impact to high reward during the bug swat.
Rewards Table Rework Reduced Ambiguity
- Google rewrote its rewards table to reduce ambiguity and panel debate around broad categories like S1A. Clearer, more specific categories improve transparency and consistency for researchers.