Re: Google open redirect

[Pablo Ximenes <pablo () ximen es>]

I think the reward is intended as a symbolic token of appreciation, and not
as compensation. That's why they give you the option to donate your cash
reward instead of keeping the money. I think what really drives researchers
into Google's program is recognition and not compensation, IMHO.



2011/12/8 Charles Morris <cmorris () cs odu edu>

> Michal/Google,
>
> IMHO, 500$ is an incredibly minute amount to give even for a error
> message information disclosure/an open redirect,
> researchers with bills can't make a living like that.. although it
> might? be okay for students.
>
> How many Google vulnerabilities per month are there expected to be?
> Granted there are other avenues to pursue for a fledgling researcher,
>
> What is the cost to Google's business if an open redirect causes their
> image to be tarnished
> by some arbitrary amount in the eyes of some percentage of consumers?
>
> Considering Google grossed 30 billion dollars in 2010, (ridiculous) I
> would expect that the numbers
> we are talking about perhaps are so massive that 500$ is nothing in
> comparison.
>
> We live in an age that pays 5k, or 30k, or 100k for a root level
> compromise,
> in a common package with a reliable and solid exploit. At least that's
> what I hear.
>
> Even if everyone else's opinion says "500$ is too much for a redirect",
> doesn't Google want to promote the industry by sharing a little of the
> wealth to people with good intentions and ability?
>
> It's time to raise the bar a little here, and I'm not just talking about
> bounty.
>
> Why would Google ever suffer from these issues to begin with?
> Can't Google, in it's infinite wisdom and 30 billion dollars, come up with
> a better solution for whatever random problem they are trying to solve
> with an open redirect?
>
>
> n.b. I have never sold a vulnerability, even when non-pittance sums are
> offered
>
> /rant
>
> On Thu, Dec 8, 2011 at 12:15 AM, Michal Zalewski <lcamtuf () coredump cx>
> wrote:
> > > _Open_ URL redirectors are trivially prevented by any vaguely sentient
> > > web developer as URL redirectors have NO legitimate use from outside
> > > one's own site so should ALWAYS be implemented with Referer checking
> >
> > There are decent solutions to lock down some classes of open
> > redirectors (and replace others with direct linking), but "Referer"
> > checking isn't one of them. It has several subtle problems that render
> > it largely useless in real-world apps.
> ...
> > We have a vulnerability reward program, and it's just about not paying
> > $500 for reports of that vulnerability - along with not paying for
> > many other minimal-risk problems such as path disclosure.
> >
> > /mz
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/