EP220 Big Rewards for Cloud Security: Exploring the Google VRP

Update: 2025-04-21

Description

Guests:

Michael Cote, Cloud VRP Lead, Google Cloud
Aadarsh Karumathil, Security Engineer, Google Cloud

Topics:

Vulnerability response at cloud-scale sounds very hard! How do you triage vulnerability reports and make sure we’re addressing the right ones in the underlying cloud infrastructure?
How do you determine how much to pay for each vulnerability? What is the largest reward we paid? What was it for?
What products get the most submissions? Is this driven by the actual product security or by trends and fashions like AI?
What are the most likely rejection reasons?
What makes for a very good - and exceptional? - vulnerability report? We hear we pay more for “exceptional” reports, what does it mean?
In college Tim had a roommate who would take us out drinking on his Google web app vulnerability rewards. Do we have something similar for people reporting vulnerabilities in our cloud infrastructure? Are people making real money off this?
How do we actually uniquely identify vulnerabilities in the cloud? CVE does not work well, right?
What are the expected risk reduction benefits from Cloud VRP?

Resources:

Comments

In Channel

EP229 Beyond the Hype: Debunking Cloud Breach Myths (and What DBIR Says Now)

2025-06-0935:05

EP228 SIEM in 2025: Still Hard? Reimagining Detection at Cloud Scale and with More Pipelines

2025-06-0227:09

EP227 AI-Native MDR: Betting on the Future of Security Operations?

2025-05-2623:58

EP226 AI Supply Chain Security: Old Lessons, New Poisons, and Agentic Dreams

2025-05-1924:39

EP225 Cross-promotion: The Cyber-Savvy Boardroom Podcast: EP2 Christian Karam on the Use of AI

2025-05-1424:46

EP224 Protecting the Learning Machines: From AI Agents to Provenance in MLSecOps

2025-05-1230:40

EP223 AI Addressable, Not AI Solvable: Reflections from RSA 2025

2025-05-0531:37

EP222 From Post-IR Lessons to Proactive Security: Deconstructing Mandiant M-Trends

2025-04-2835:19

EP221 Special - Semi-Live from Google Cloud Next 2025: AI, Agents, Security ... Cloud?

2025-04-2330:26

EP220 Big Rewards for Cloud Security: Exploring the Google VRP

2025-04-2129:13

EP219 Beyond the Buzzwords: Decoding Cyber Risk and Threat Actors in Asia Pacific

2025-04-1431:46

EP218 IAM in the Cloud & AI Era: Navigating Evolution, Challenges, and the Rise of ITDR/ISPM

2025-04-0730:10

EP217 Red Teaming AI: Uncovering Surprises, Facing New Threats, and the Same Old Mistakes?

2025-03-3123:11

EP216 Ephemeral Clouds, Lasting Security: CIRA, CDR, and the Future of Cloud Investigations

2025-03-2431:43

EP215 Threat Modeling at Google: From Basics to AI-powered Magic

2025-03-1726:03

EP214 Reconciling the Impossible: Engineering Cloud Systems for Diverging Regulations

2025-03-1029:22

EP213 From Promise to Practice: LLMs for Anomaly Detection and Real-World Cloud Security

2025-03-0328:01

EP212 Securing the Cloud at Scale: Modern Bank CISO on Metrics, Challenges, and SecOps

2025-02-2433:16

EP211 Decoding the Underground: Google's Dual-Lens Threat Intelligence Magic

2025-02-1726:02

EP210 Cloud Security Surprises: Real Stories, Real Lessons, Real "Oh No!" Moments

2025-02-1026:58

00:00

EP220 Big Rewards for Cloud Security: Exploring the Google VRP

#box-pro-ellipsis-174998021515378{-webkit-line-clamp:2;}EP220 Big Rewards for Cloud Security: Exploring the Google VRP

EP220 Big Rewards for Cloud Security: Exploring the Google VRP

Anton A Chuvakin

EP220 Big Rewards for Cloud Security: Exploring the Google VRP