< NULLCON 2025 - GOA />

About the Speaker

Training Registration Schedule Sponsors Meet & Greet Venue
GO BACK
img
Cameron Vincent
Security Engineer Microsoft

< Talk Title />

Google Give Me Vulnz

< Talk Category />

BountyCraft Track

< Talk Abstract />

Do you like hunting for security vulnerabilities? Better yet, do you like getting awarded for hunting security vulnerabilities? 

Well, today you're in the right place, because I'm going to share with you exactly how I did that by hacking the Google Bounty Program.

Now, how did I go about this? Ever wonder how it was possible to edit other user's apps on the Google Play store? What about accessing any Google Workspace organizations entire Google Play admin console and publishing apps to android devices in their org? What about seeing all user's files on Google Ads? What about making a living from finding these vulnerabilities?

Not interested in financial awards? Do leaderboard rankings appeal to you more? I will also share how this focused research helped to propel me to become one of the top researchers in the Google bug bounty program, reaching the elusive #1 spot. 

In this talk you will learn how to hunt for authorization and logic vulnerabilities in multiple Google products using introductory hacking tools, such as burp suite, and simple yet creative attack scenarios.

I'll be covering five distinct high impact vulnerabilities surfaced across varying Google products. This talk will give insight into how to get started as an independent security researcher in the Google Bug Bounty program and how to leverage these same techniques against other bug bounty programs as well. Beyond the technical details, you will learn about my hacking process in depth, specifically how I position myself to hunt these products and dive into recurring architectural issues across the attack surface.

< Speaker Bio />

Starting out as a full-time bug bounty hunter Cameron Vincent now works on the vulnerabilities and mitigations team in the Microsoft Security Response Center. During his full-time bug bounty career, he was ranked as one of the top researchers for both Microsoft and Google's program numerous times. He now works on the V&M team within the MSRC side dealing with security issues internally to better protect Microsoft's ecosystem from within.