Black & White Path

May 24, 2026 · Information Security

How StubZero Exposed a Google Cloud Production RCE and Earned $148,337

A researcher discovered an unauthenticated debug endpoint in Google Cloud that leaked protobuf definitions, turned it into a "req2proto as a Service", abused Stubby RPC permissions, chained several API calls to achieve full remote code execution, and received a $148,337 bug‑bounty.