Google Said 'Nice Catch' Then Denied a Bug Bounty for a CVSS 10.0 Flaw It Still Hasn't Fixed

How Config Connector Works and Where It Breaks

Config Connector is a Kubernetes operator that lets organizations manage GCP resources — such as cloud storage, databases, and IAM policies — through Kubernetes commands . It is designed to unify tooling: you can create, update, and delete cloud resources using kubectl, the familiar Kubernetes command-line tool .

O'Leary found that this unified approach comes with a dangerous side effect. The flaw allows any Kubernetes namespace user to bypass Google Cloud Platform's Identity and Access Management (IAM) controls. A developer with basic access to just one Kubernetes namespace could exploit this to gain full administrative control over an entire organization's GCP environment — effectively owning the whole cloud account . O'Leary told The Register the exploit could be executed in about five seconds, with no audit trail left behind .

The Technical Mechanism: Cross-Namespace Privilege Escalation

While Google has not released a detailed technical description, multiple sources and O'Leary's reporting indicate the vulnerability lies in how Config Connector handles IAM permissions across different Kubernetes namespaces .

In a properly configured multi-tenant GKE cluster, different namespaces are supposed to be isolated — a user in namespace A should not be able to manage resources in namespace B or grant themselves elevated GCP roles. O'Leary's discovery shows that Config Connector's IAM resource types do not enforce these namespace boundaries . By creating or modifying an IAM policy resource via Config Connector from within a single namespace, a user with minimal Kubernetes permissions can grant themselves the roles/owner role on the GCP project — or the entire organization .

This is a violation of the principle of least privilege and a direct bypass of GCP's IAM authorization layer. It is not a misconfiguration that an administrator could fix; it is a design-level flaw in how Config Connector delegates IAM authority .

The Timeline: From 'Nice Catch!' to 'Working as Intended'

According to The Register's exclusive June 18, 2026, report and corroborating sources, the timeline unfolded as follows:

• Late March / early April 2026 (approximate): O'Leary discovers the flaw and submits a detailed report to Google's Cloud Vulnerability Reward Program (Cloud VRP). The report includes a proof of concept demonstrating how an attacker can escalate from namespace-user to GCP organization owner .
• Initial triage: Google's bug bounty team reviews the submission, categorizes it as a high-priority, high-severity vulnerability, and a Google representative personally responds with 'Nice catch!' .
• ~May/June 2026: Without issuing a fix, Google reverses its decision. The company closes the report, declaring that the behavior is 'working as intended' — meaning it does not qualify as a vulnerability under the Cloud VRP rules. No reward is issued .
• As of June 18, 2026: The flaw remains patched. O'Leary's bug report, however, is still marked 'high-priority' and 'accepted' in Google's tracking system — an apparent contradiction . The case has been open for nearly three months .

Why Google Might Have Denied the Bounty

Google has not publicly explained its reversal, but several factors could be at play based on the Cloud VRP rules and the broader context of Google's 2026 program changes.

The official Cloud VRP rules state: “Google Cloud vulnerability reports where customer-owned resources were tested are ineligible for rewards.” The program scope is explicitly limited to vulnerabilities in Google-owned infrastructure and services, not in customer-configurable components . If Google considered Config Connector's behavior a matter of customer configuration rather than a product vulnerability, it could technically deny the bounty under this language — even if the behavior bypasses expected IAM controls.

A separate possibility: the Cloud VRP rules specify that the program covers “authentication or authorization flaws” in scope items, which should cover O'Leary's finding . But Google has previously argued in other contexts that certain privilege escalations are not bugs if they require specific permissions to trigger — a stance that drew criticism from researchers . In O'Leary's case, the required initial permission (namespace-level access to Config Connector resources) is minimal and commonly granted to developers, making the escalation both real and dangerous .

A third factor relates to Google's 2026 Vulnerability Reward Program overhaul for Chrome and Android. In late April and early May 2026, Google announced it was cutting Chrome payouts and restructuring rewards, citing a surge in AI-generated low-quality submissions . The company stated it was “reducing some reward amounts and bonuses across Android and Chrome” to focus on “quality and real-world impact over sheer volume” . While O'Leary's case falls under the separate Cloud VRP, not the Chrome or Android programs, the company's public stance of tightening payouts may have influenced the decision — particularly if Google viewed the Config Connector issue as a design choice rather than a bug .

Growing Researcher Backlash

The incident has sparked criticism from the security research community, with some arguing that Google is using the AI-submission narrative as cover to deny legitimate, manually discovered vulnerabilities . PC Perspective's commentary called the decision “getting miserly on bug bounties” and noted the discrepancy between Google's initial praise and its ultimate denial . Cyber News Live highlighted that the flaw could allow a five-second takeover with no record left behind .

The case also comes at a time when Google is simultaneously increasing top rewards for certain categories of Android bugs — up to $1.5 million for persistent Titan M zero-click exploits . This two-tier approach — rewarding deep hardware exploits generously while denying even acknowledgement for severe cloud IAM bypasses — has fueled perceptions that Google's bug bounty programs are strategically allocating budgets rather than honestly assessing risk .

What This Means for Organizations Using Config Connector

Organizations running Config Connector in multi-tenant or shared GKE clusters should treat this as an urgent, unpatched risk. Without an official patch from Google, the following mitigations can reduce exposure:

• Restrict iam* resource creation at the namespace level using Kubernetes RBAC policies. Do not grant create, update, or Delete permissions on IAMPolicy, IAMPolicyMember, or IAMPartialPolicy custom resources to untrusted namespaces.
• Use namespace-mode Config Connector with distinct, low-privilege service accounts per namespace. Google's documentation supports this configuration, which limits blast radius .
• Monitor GCP IAM changes from Config Connector origins. Enable audit logs and set up alerts for any setIamPolicy calls originating from your GKE cluster.
• Consider disabling Config Connector in environments where multi-tenant isolation is required, until Google resolves the vulnerability.

Google's official documentation on securing access to resources with IAM describes recommended configurations but does not address the cross-namespace bypass vector at the heart of O'Leary's report . Organizations should assume their Config Connector deployments may be vulnerable.

Key Takeaways

• A privilege-escalation flaw in Google's Config Connector (CVSS 10.0) allows any Kubernetes namespace user to gain full ownership of the GCP project.
• Google's bug bounty team initially accepted the report as high-priority, then reversed course, declaring it 'working as intended' and denying a reward.
• Nearly three months after the initial report, the vulnerability remains unpatched with no fix timeline from Google.
• The incident occurs against Google's broader 2026 program changes that cut Chrome payouts while raising Android rewards, complicating the company's relationship with security researchers.