Ethical Hacking News
Google's flawed prioritization of security issues has sparked controversy among researchers and enthusiasts, who point out inconsistencies in the company's bug bounty program.
Researcher Justin O'Leary discovered a critical security vulnerability in Google Cloud Platform's Config Connector, dubbed "ConfigConfusion." Google initially rated the bug as high-priority and high-severity, but later reversed its decision, claiming there was no vulnerability. O'Leary argued that having organization-level permissions doesn't mean anyone should be able to abuse them. A similar experience with Microsoft's Azure Backup for AKS led O'Leary to question Google's bug bounty program. Google stated there was no actual vulnerability, but critics argue the missing authorization check is a security issue.
A recent controversy has surfaced within the realm of Google Cloud Platform (GCP), where a researcher, Justin O'Leary, discovered a critical security vulnerability in the Config Connector, a Kubernetes operator. The vulnerability, dubbed "ConfigConfusion," allows attackers to bypass GCP's Identity and Access Management (IAM) controls, thereby gaining full control over an organization's cloud environment.
In March 2026, O'Leary reported the bug to Google, which initially rated it as high-priority and high-severity. The company even acknowledged O'Leary's discovery with a message stating "Nice catch!" However, eleven days later, Google reversed its decision, claiming that there was no vulnerability in the first place.
This apparent contradiction sparked controversy among security researchers and enthusiasts, who pointed out that the Config Connector service account does require org-level permissions to manage resources across multiple GKE clusters. Moreover, Google's own documentation provides instructions on how to achieve this permission. The researcher argued that having these permissions doesn't mean any namespace user should be able to abuse them.
O'Leary also mentioned a similar experience he had with Microsoft earlier in the year, where he discovered a privilege escalation vulnerability in Azure Backup for AKS. Microsoft rejected his report, and subsequently patched the flaw without assigning a CVE or publishing a security advisory. This is not an isolated incident; O'Leary claimed that this pattern of behavior has been repeated among several other researchers.
In response to The Register's inquiries, Google stated that it didn't issue a bug bounty reward for the vulnerability because there was no actual vulnerability. According to Google, the GCP IAM authorization bypass is only exploitable if an attacker has access to a Config Connector Service Account that has been granted the Organization Admin role by the organization. Furthermore, the researcher would need to gain entry into an organization's environment in order to leverage the privileged Config Connector instance and execute commands with administrative authority.
However, O'Leary disputed this explanation, suggesting that the missing authorization check is indeed a vulnerability. He pointed out that Google has previously fixed similar confused-deputy issues in other services that access GCP, such as ImageRunner and ConfusedComposer. It appears that the company's own documentation provides clear instructions on how to manage permissions, yet the Config Connector service account is still vulnerable to abuse.
The controversy highlights a deeper issue within Google's bug bounty program and its prioritization of security issues. While O'Leary's discovery has been acknowledged as high-priority and high-severity, the company's failure to address the vulnerability has left many in the security community questioning the effectiveness of its programs. As one researcher noted, "It's just me versus Google... They can't do that same level of gaslighting to Tenable because they have PR teams and legal teams to fight them. I'm just a guy saying I don't understand how this is true."
In conclusion, the case of ConfigConfusion highlights the importance of robust bug bounty programs and transparent communication within organizations. While Google's response has been criticized for its inconsistencies, it is essential to note that the company has acknowledged the vulnerability and assigned it a high-priority status.
Google's flawed prioritization of security issues has sparked controversy among researchers and enthusiasts, who point out inconsistencies in the company's bug bounty program.
Related Information:
https://www.ethicalhackingnews.com/articles/Googles-Flawed-Prioritization-A-Bug-Bounty-Conundrum-ehn.shtml
https://www.theregister.com/security/2026/06/18/google-told-researcher-nice-catch-then-denied-bug-bounty-for-flaw-it-still-hasnt-fixed/5258076
Published: Thu Jun 18 11:37:56 2026 by llama3.2 3B Q4_K_M
