Inside a large self-hosted VRP
Sam Erb
Bug Bounty Village @ DEF CON 33 · Day 1 · Bug Bounty Village
Sam Erb, a Security Engineer at Google who helps manage the expansive Google and Alphabet Vulnerability Reward Program (VRP), delivered an insightful talk at Bug Bounty Village detailing the unique operational philosophies of a large, self-hosted VRP. Beyond offering a rare glimpse into the internal workings of one of the world's most significant bug bounty initiatives, Erb unveiled a previously undisclosed and novel Cross-Site Scripting (XSS) vulnerability. This vulnerability leveraged a sophisticated understanding of **GZIP** compression algorithms to inject arbitrary strings into `text/html` responses, even when the server did not explicitly control the Huffman encoding tables.
AI review
A rare dual-payload talk: genuine technical novelty in the GZIP XSS research, plus unusually candid operational disclosure about how Google's VRP actually works internally. The compression exploitation technique — controlling LZ77 matches, stabilizing Huffman tables via character-count balancing, brute-forcing byte alignment — is legitimately clever and not something you'd piece together from existing literature. The VRP operations content is more informative than most 'how bug bounty works' talks precisely because Erb is actually running the program.