Comment by jjice
1 year ago
Nope, I'm with you. Based on the quick blurb about what the vuln way, $1337 is an absolutely steal for Google. Paying for a team or outside pentesters to attempt to find this would be _way_ more expensive.
1 year ago
Nope, I'm with you. Based on the quick blurb about what the vuln way, $1337 is an absolutely steal for Google. Paying for a team or outside pentesters to attempt to find this would be _way_ more expensive.
> Paying for a team or outside pentesters to attempt to find this would be _way_ more expensive.
But doesn't Google have teams of internal pentesters already? You could hire dozens of external companies and they might not find it.
This system is a "no cure, no pay" approach. I do think they should have paid the reporter a lot more though.
It’s essentially 0 as far as they’re concerned.
Especially when Microsoft paid out about 75k for essentially the same issue.
Did Microsoft pay the entire $75k? The people who found that issue reported it to multiple stakeholders, and their blog post[1] merely says they were awarded $75k in total. I assume the bulk of the bounties were paid by the service providers who failed to heed the warning in Microsoft's documentation.
Also, the Microsoft issue was far worse as it could be exploited by anyone; the Google issue requires a rogue employee or a misconfigured email ticketing system.
[1] https://www.descope.com/blog/post/noauth
On a second read you're probably right about it being multiple vendors paying out.