Google thanks researcher for finding major flaw but doesn’t fix it and pays no reward

Published: 19 June 2026
google-bug
Image by Cybernews.

Researcher and cloud bug hunter Justin O’Leary says he found and reported a major flaw to Google but the tech giant, after initially praising the engineer, then changed course, told him there’s no vulnerability and that he wouldn’t be paid. The flaw is still active.

Key takeaways:
  • Google initially praised and prioritized the reported flaw, then reversed course, denied vulnerability status, and withheld payment.
  • The alleged Google Cloud Config Connector flaw remains unfixed, despite internal P1/S1 severity and active tracking.
  • Justin O’Leary says Google’s contradictory responses reflect a broader pattern of underrewarding independent security researchers.

O’Leary found a security flaw in a Kubernetes operator and realized it could allow attackers to bypass Google Cloud Platform (GCP) identity and access protections and gain control over any organization’s cloud environment.

ADVERTISEMENT

He reported the find to Google. As expected, the tech giant initially rated the flaw high priority and high severity, and Google’s representative even told O’Leary: “Nice Catch!”

But Google then suddenly changed course. As O’Leary explains in a blog post, he was told that, actually, there was no vulnerability so the researcher wouldn’t receive any reward payout.

Google reversed its earlier decision

Curiously, the vulnerability, named “ConfigConfusion” by O’Leary, is still unfixed. Even now, Google’s internal tracker shows it as P1/S1, their highest severity.

Check if your data has been leaked

Find out if your email, phone number or related personal information might have fallen into the wrong hands.
18,611,353,922
Breached accounts
36,030
Breached websites

It all began on March 8th when O’Leary reported the bug report to Google. Essentially, he found an issue in Config Connector, an open source Kubernetes add-on that allows users to manage Google Cloud resources through Kubernetes.

According to O’Leary, since Config Connector doesn't perform an authorization check, this allows any Config Connector service account with org-level permissions to bypass Identity and Access Management (IAM) authorization and gain the highest level of control to an entire GCP Organization.

google-flaw-process
Image by Cybernews.
ADVERTISEMENT

On March 27th, a Google security engineer accepted the report and assured O’Leary the flaw will soon be fixed, adding, “In the meantime, review the payment option selected in your bughunters.google.com profile.”

Google even assigned the bug P1 priority and S1 severity, signalling that the repair needs to be urgent as it affects a large percentage of users and can disrupt core organizational functions.

“The Cloud Vulnerability Reward Program panel has decided that the security impact of this issue does not meet the criteria to qualify for a reward,”

Google's message to O’Leary.

However, 11 days later, a Google bot emailed O’Leary, reversing the earlier decision and explaining, “The Cloud Vulnerability Reward Program panel has decided that the security impact of this issue does not meet the criteria to qualify for a reward.”

According to Google, the issue O’Leary had described “is working as intended.” The company, quite curiously, adds, “The fact that this issue is not being rewarded does not mean that the product team won’t fix the issue.”

Three months later, the bug’s still alive

Naturally, O’Leary was and remains extremely surprised. He now says Google’s claims are “false or contradictory” and explains that Google cannot simultaneously:

  • Say “Nice catch!” and file a bug to fix it
  • Tell me to set up payment for my “potential reward”
  • Claim the behavior is “working as intended”
  • Say the product team might still fix it
  • Keep the case in “Accepted” status instead of closing it
  • Tell MITRE they “do not believe it is a vulnerability”

On his blog, the perplexed engineer asks, “If it’s being fixed, it’s not intended behavior. If it’s not intended behavior, it qualifies for a reward. If they don’t believe it’s a vulnerability, why is it P1/S1 “Accepted”?

Indeed, nearly three months later, the case is still active, but Google hasn’t assigned a CVE or issued a fix – even though Google assigns this status to real vulnerabilities, not intended behavior.

ADVERTISEMENT

O’Leary’s story isn’t unique, of course, because tech companies are increasingly unwilling to pay bug hunters who find flaws in their networks.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

For example, in April, when security researchers hijacked 3 popular AI agents that integrate with GitHub Actions using a new type of prompt-injection attack to steal API keys and access tokens, they only received modest bounties from the vendors, which additionally didn’t even think to disclose the issue.

“This is a pattern. This is just how these trillion-dollar companies deal with people like me,” O’Leary told The Register, adding on his blog, “They’re not disputing what it [the bug] does. They’re disputing who has to fix it.”

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT