Google has failed to respond to confirm or deny reported vulnerabilities in Google App Engines (GAE) for Java, so the research group which uncovered the issues has decided to publish a full report along with proof of concept code (POC).
Security Explorations (SE), a company based in Poland, claims to have discovered 41 vulnerabilities in GAE. According to Adam Gowdiak, SE's CEO, this is more than the company's initial target of finding 30 vulnerabilities in GAE.
“The irony is that all of the bugs reported to Google so far were specific to the ‘extra security' layer implemented on top of JRE that aimed to protect GAE against...security vulnerabilities in Java,” he wrote.
In fact, reading between the lines of SE's report on Full Disclosure, it would appear that it has not been an easy relationship between SE and Google.
Following a notification last year issues 1-31, Google blocked SE's research account possibly because, says Gowdiak, SE was probing too aggressively. The account was eventually restored and SE was rewarded with a bounty of £32,000.
The POC relating to these bugs subsequently failed to work anymore, leading Gowdiak to conclude, in the absence of any notification from Google, that they had been silently patched, contrary to Google's policies around bug notification.
Gowdiak has decided to publish SE's report despite the bugs being unconfirmed and unpatched because it has been three weeks since he notified Google during which time he has had no response.
He said he is aware that he might be upsetting Google but insisted that “we need to treat all vendors equally”.
Gowdiak said: “At the end, it's worth noting that we are completely aware that this publication may lead to the cancelling of additional VRP rewards from Google (including the £13,000 that was to be paid for Issues 32-34 and improperly patched Issue 2 #2).”