14 DAY TRIAL // Google awarded a security company $50,000 / €41,000 for continuing their research on security holes in the Google App Engine (GAE) for Java, after the firm’s account had been suspended initially because of the tests they conducted.
At the beginning of the month, Security Explorations, a security firm based in Poland, announced that its researchers discovered a flurry of security issues in the GAE that would allow a complete sandbox escape from Java virtual machine.
Google receives multiple PoCs demonstrating the risks
It was estimated that the number of bugs was over 30, although not all issues could be verified. Some of the work led to creating a total of 17 full sandbox bypass proof-of-concept codes that exploited 22 security weaknesses.
As soon as this was achieved, Google suspended the GAE account of the company, preventing future research of the glitches. However, after Security Explorations provided details about the problems, Google re-enabled their account on the condition that the investigation was limited to Java virtual machine and did not move to the next sandboxing layer.
Google also asked Security Explorations (SE) not to make public any information about the next sandboxing layer or its monitoring capabilities.
Starting December 12, the Polish researchers sent Google multiple proof-of-concept codes demonstrating how the flaws they uncovered could be exploited.
Based on the reports received, Google did not sit idly and fixed some of the problems, which, in some cases, had the same bug as the root cause.
Oracle, makers of Java, took interest in the company's research too, in order to learn if any of the GAE bugs affected its products. A minor Java code issue was reported and Oracle took the necessary steps to fix it.
In total, SE pointed Google to a set of 30 bugs, some of them being worked on as of December 27.
Largest VRP award paid to date
The efforts of the Poland-based security company have been appreciated by Google, which awarded it with $50,000 through the Vulnerability Reward Program (VRP).
According to Security Explorations, this is the largest financial reward given by Google through this program. This alone hints at the severity of the issues and the importance of mitigating them.
The App Engine is a platform-as-a-service cloud computing solution designed for developing and hosting web apps running in the search giant’s infrastructure.
On the customer side, there are no servers to maintain, as all they have to do is build their app and upload it to Google’s data centers. The software is sandboxed for security purposes and it is distributed across multiple servers.
Security Explorations says that the money received from Google will be used for carrying out future non-commercial security research.
