Wouter ter Maat takes top spot in first GCP research awards

UPDATED Security researcher Wouter ter Maat has been named as winner of the inaugural Google Cloud Platform (GCP) vulnerability research prize, thanks to his work in the field of Cloud Shell security.

Unveiled last year, the GCP Vulnerability Reward Program (VRP) was created by Google in an effort to shine fresh light on the tech giant’s cloud computing infrastructure, promising prizes of $100,000 to the reporter of the “best vulnerability affecting GCP”.

In an update yesterday, Google said it had received “many interesting entries” as part of the new initiative, but that ter Maat’s exploration of Cloud Shell vulnerabilities took the top spot.

The Dutch researcher’s write-up focused on four Google Cloud Shell bugs – the first of which leveraged the ‘Open In Cloud Shell’ feature in order to clone Git repositories hosted on GitHub or Bitbucket.

Ter Maat (@wtm_offensi) went on to show how a malicious custom Cloud Shell image could be used to gain unauthorized access to GCP resources, before explaining how a vulnerability in the path-checking logic of the Mercurial/HG client could allow an attacker to write files outside of a repository’s boundaries.

LiveOverflow feature

If ter Maat’s cloud security research seems familiar, it might be due to the fact that he demonstrated his exploits on the popular LiveOverflow YouTube channel last year.

“If you can compromise or gain access to another user’s Cloud Shell, it would mean you can get access to all the [user’s] resources,” the researcher explained in his video walkthrough.


Wouter ter Maat’s research was featured in a LiveOverflow YouTube video last year


For Fabian Faessler, owner of the LiveOverflow security education channel, the Google tie-up acted as another demonstration of the organization’s proactive approach to both security response and vulnerability disclosure.

“Google wanted to sponsor a video talking about a security vulnerability that somebody found in one of their products,” Faessler said in his introduction to the video.

“Think about this: they want to pay money so that I very publicly share that Google had a security issue. That might sound crazy for most other companies, but we know Google has always had a great vulnerability rewards program.”

Rewarding researchers

Ter Maat was awarded $100,000 for the coordinated disclosure of the GCP security vulnerabilities.

“Google contacted me somewhere in early February to let me know i was one of the top three contenders,” he told The Daily Swig. “I was really surprised and excited… Two weeks later I received the news I was the winner. Amazing!”

The security pro said the reward will serve as a “salary” while he continues to probe Google’s products and services for vulnerabilities.

“It makes sure I can provide for my family while I try to improve my game and focus on fun and time-consuming challenges, without having to worry about short-term income,” he said.

“I will definitely be participating in 2020! I have greatly enjoyed the past few years. Google has provided so many great opportunities and fun events, where i had the chance to meet some of the friendliest and skilled people you will find (both bug hunters and Googlers).”



In an effort to encourage more security researchers to look for vulnerabilities in GCP, Google is tripling the total rewards on offer for the 2020 cloud research program, with more than $133,000 being promised to the winner.


This article has been updated to include comment from Wouter ter Maat.


RELATED Learning curve: YouTube’s LiveOverflow brings ethical hacking to the masses