EP220 Big Rewards for Cloud Security: Exploring the Google VRP

Guests:

• Michael Cote, Cloud VRP Lead, Google Cloud
• Aadarsh Karumathil, Security Engineer, Google Cloud

Topics:

• Vulnerability response at cloud-scale sounds very hard! How do you triage vulnerability reports and make sure we’re addressing the right ones in the underlying cloud infrastructure?
• How do you determine how much to pay for each vulnerability? What is the largest reward we paid? What was it for?
• What products get the most submissions? Is this driven by the actual product security or by trends and fashions like AI?
• What are the most likely rejection reasons? 
• What makes for a very good - and exceptional? - vulnerability report? We hear we pay more for “exceptional” reports, what does it mean?
• In college Tim had a roommate who would take us out drinking on his Google web app vulnerability rewards. Do we have something similar for people reporting vulnerabilities in our cloud infrastructure? Are people making real money off this? 
• How do we actually uniquely identify vulnerabilities in the cloud? CVE does not work well, right?
• What are the expected risk reduction benefits from Cloud VRP?

Resources:

• Cloud VRP site
• Cloud VPR launch blog
• CVR: The Mines of Kakadûm