Does anyone else feel that XSS on google.com is probably worth a bit more to the wrong people than $5k? Arbitrary-eval is pretty much the worst. Unless I'm missing something, somebody could steal a user's cookie strings and post them to an arbitrary endpoint, which could then use them to log into, e.g. GMail, which an attacker could then use to trigger and retrieve password-reset links for all sorts of other sites.<p>When I worked at Yahoo, an XSS on yahoo.com (which almost never happened) was a code-red, drop-everything, holy-shit event. If I were at Google I'd probably give this guy a bonus.
I wonder if emailing them and asking for e.g. a 25k reward before disclosure exposes one to criminal liability or not.<p>I mean, is there a law making it illegal to sell exploits to the black market? These bug bounty programs must know they compete with a large market for these sorts of things.
Slightly off topic, but if a bug like this is discovered does the engineer who wrote it get notified?<p>It would be funny to have a sort of wall of shame for that week or something else internally. Or you could even go as far as making that engineer pay for the bug bounty (that's a bit much though). Anyone have any experience as to what happens on Google's end besides the obviously patching of the bug and paying of the fine?
Where in the code is the eval() is performed? There is not a single call to eval() in that source.<p>Maybe a listing of the Wi() function would be useful.
5k is not so much for this kind of huge vulnerability.<p>I mean with a "great" hack this guy could have made much more in a few hour, but let say it's a generous reward anyway :)