Have you ever wondered how Google handles all of its vulnerability reports and bug tracking issues? Basically Google handles all such reports in- house through a platform called Google Issue Tracker.  This in- house site allows Google employees to send and converse on vulnerability reports , bug tracking issues and feature requests during product development.

The Google Issue tracking system is a tool that is meant to be used within the company itself although specific issues are open to external public and partner users. But the public gets access to only a limited no. of topics that is just 0.1% of all issues generated on the platform.

How did a Security Researcher Come to hack into the issue tracking system?

While sending a vulnerability report on one of Google’s products, a security researcher discovered a thread leading to the google issue tracking system, which only Google’s employees have access to. So he decided trying hacking into it.

Hacking into the issue tracking system:

In order to hack into the system, the researcher had to first try to login into the system. By creating an account with the component ID ,which basically represent the category, and issue ID which is a unique identifier, the researcher was able to log in to the buganzier which is another name for google’s issue tracking system.

The next step was to get into chats not concerning the researcher. This he was able to do by starring items which means that one can look into a discussion without ever participating in it or ever being invited into it.

Rewards for reporting the bugs in the issue tracking system:

The security researcher was able to get 15000$ for reporting these bug tracking issues to Google. Each of the issues was taken care of according to its priority level. All the issues discovered by the researcher were resolved within a matter of hours.

Potential problems of not resolving bugs tracking issues in the issue tracking system:

One of the major concerns of having bug tracking issues in any system is that it can be taken advantage of by malicious third parties. The same goes with Google’s issue tracking system, any bugs in the platform could leave a window open for third parties to misuse such information. Although in all the cases brought forward by the security researcher, the Google team has resolved the bug tracking issue at the earliest.

There are about 3000 new vulnerability reports being filtered through the system. Each of these bug tracking issues are leveled and handled accordingly to their priority. Therefore there could be bug tracking issues that are not handled on a prompt basis. This gives time to third parties to misuse such issues. But then again since they are not at the top of the list they may not be so important anyway.

In a time when the net is subject to a lot of cyber-attacks, resolving bug related issues and seeing to vulnerability reports at the earliest becomes the central focus of any company in today’s world.