Michal/Google, IMHO, 500$ is an incredibly minute amount to give even for a error message information disclosure/an open redirect, researchers with bills can't make a living like that.. although it might? be okay for students.
How many Google vulnerabilities per month are there expected to be? Granted there are other avenues to pursue for a fledgling researcher, What is the cost to Google's business if an open redirect causes their image to be tarnished by some arbitrary amount in the eyes of some percentage of consumers? Considering Google grossed 30 billion dollars in 2010, (ridiculous) I would expect that the numbers we are talking about perhaps are so massive that 500$ is nothing in comparison. We live in an age that pays 5k, or 30k, or 100k for a root level compromise, in a common package with a reliable and solid exploit. At least that's what I hear. Even if everyone else's opinion says "500$ is too much for a redirect", doesn't Google want to promote the industry by sharing a little of the wealth to people with good intentions and ability? It's time to raise the bar a little here, and I'm not just talking about bounty. Why would Google ever suffer from these issues to begin with? Can't Google, in it's infinite wisdom and 30 billion dollars, come up with a better solution for whatever random problem they are trying to solve with an open redirect? n.b. I have never sold a vulnerability, even when non-pittance sums are offered /rant On Thu, Dec 8, 2011 at 12:15 AM, Michal Zalewski <[email protected]> wrote: >> _Open_ URL redirectors are trivially prevented by any vaguely sentient >> web developer as URL redirectors have NO legitimate use from outside >> one's own site so should ALWAYS be implemented with Referer checking > > There are decent solutions to lock down some classes of open > redirectors (and replace others with direct linking), but "Referer" > checking isn't one of them. It has several subtle problems that render > it largely useless in real-world apps. > ... > We have a vulnerability reward program, and it's just about not paying > $500 for reports of that vulnerability - along with not paying for > many other minimal-risk problems such as path disclosure. > > /mz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
