Now compare this with the attitude of their Security researcher, Tavis Ormandy, bashing Microsoft's lackadaisical approach towards fixing bugs and has publicly published 0-days twice [1, 2, 3, 4]. Google only moved upon fear of public disclosure, and that too inspite of researcher being meticulous and patient.<p>Also, thank you Tom for your patience and being responsible. Also, I could not find your name in Hall of Fame list.<p>[1] - <a href="http://www.computerworld.com/s/article/9239477/Google_engineer_bashes_Microsoft_s_handling_of_security_researchers_discloses_Windows_zero_day" rel="nofollow">http://www.computerworld.com/s/article/9239477/Google_engine...</a><p>[2] - <a href="http://www.zdnet.com/google-researcher-publishes-windows-zero-day-exploit-7000016403/" rel="nofollow">http://www.zdnet.com/google-researcher-publishes-windows-zer...</a><p>[3] - <a href="http://nakedsecurity.sophos.com/2010/06/15/tavis-ormandy-pleased-website-exploits-microsoft-zeroday/" rel="nofollow">http://nakedsecurity.sophos.com/2010/06/15/tavis-ormandy-ple...</a><p>[4] - <a href="http://www.computerworld.com/s/article/9177948/Google_researcher_gives_Microsoft_5_days_to_fix_XP_zero_day_bug" rel="nofollow">http://www.computerworld.com/s/article/9177948/Google_resear...</a>?
Hey folks,<p>I am one of the co-founders of the Vulnerability Reward Program at Google. It's one of the longest-running and most generous programs of this kind: since 2010, we have paid out around $1M in rewards for more than 1,500 qualifying bug reports in web applications alone. We take great pride in keeping the process responsive, friendly, and hassle-free.<p>Of course, it takes just one bad experience to undo much of that. Tom's report is a valid issue. The reward panel - of which I am a member - decided that it did not meet the bar for a financial reward. I stand by this decision, but I think we should have been more forthcoming, precise, and responsive when communicating that. In other words, I think we messed up.<p>PS. If you ever run into any problems of this type - or just want a friendly soul to chat - please do not hesitate to poke me at lcamtuf@google.com :-)
No matter what he tried to explain they just kept replying that he didn't qualify for the reward. It sounds like they have become super defensive about acknowledging bugs because the reporter will immediately try to claim a reward. If so, it's the exact opposite of the intent of the program.<p>I once reported Chrome because it crashed when I tried to load a 65536x65536 bitmap image. Since it was a crash I, of course, claimed it was a security issue, in the hope that was enough to get a reward. Of course, they didn't accept that, but it does make me think the other side of this issue may be that Google is now receiving so many of these they are unable to properly evaluate them all and applying the "HR" solution (employ someone underqualified explicity to fob off as many people as possible so that only super-qualified candidates get through).
Arbitrary content injection into signed emails from Google, and it's not a security risk??? Incredibly poor response from them. Props to the author for being patient and trying multiple times to convince them to actually fix it.
Here's an honest question: why do people still bother with the 'responsible disclosure' nonsense? What's in it for them? Days of work, weeks of waiting and frustration, for a 'mention' in some imaginary 'hall of fame'? $1mm over 1500 bugs, that's $666 / bug. That's about a day worth of work if your rates are low and you are in a low CoL area, or half a day or less if you work for Google.<p>I take it that people who find these vulns do it for fun, even if it's their job - if you don't have a contract to start looking for issues, there is no reason to do so other than fun. So the only reason people bother with 'responsible disclosure' is, as far as I can tell, because not doing so would damage their public persona. But it only got to that point because big vendors pushed the moral superiority of 'responsible disclosure' on us over the last decade. Back in the 1990's (when I was last sort of active in the scene), nobody would think of giving vendors weeks or months of time to fix their own damned bugs - if your PoC exploit worked at 3am (with real, working shell code, none of that 'call ::MessageBox(NULL, "U got 0wned") nonsense), you'd post it to bugtraq at 3:15 so that you could see the responses when you got out of bed in the morning.
Maybe they can justify thinking it wasn't really a security vulnerability, or maybe they can say, hey, everyone makes mistakes, we didn't realize it was a security vulnerability.<p>But what the heck is the justification for deciding it's a security vulnerability that needs to be fixed only when the guy says he's going to advertise it publicaly? What the hell is that?<p>If he had sold it privately, without telling Google, instead of letting them know he'd be advertising it publicly -- then it still wouldn't be worth fixing?
I don't understand this pervasive mentality among companies that run such a cash-for-bugs scheme. Isn't the idea to encourage people to properly report bugs by rewarding them financially, thereby discouraging them from selling the details to the highest unrelated bidder?<p>All Google is doing is damaging its reputation.
I definitely commend the author for his work, but I think that there might have been a slight misunderstanding here. In his last email, the author talks about how public disclosure would "force" Google to fix the vulnerability. But I read Google's response as simply saying that they did not think the bug qualified for the program, not that they didn't intend to fix it. Then again, my reading is definitely influenced by my time at Google and how seriously my team took this sort of thing.
I think I might be missing something - as a Google service user, I'd have to update my own name to be Mr Test<!--BAD STUFF HERE in order to perform a phishing attack on myself?
Wow. Give me a break, please. What the OP reported was a super minor issue, and he's already got what he deserves.<p>His bug allowed him to inject links into verification emails sent by Google Scholar. He claimed that he could inject CSS links too, but that didn't make this problem any worse. Why? Because it's up to mail clients to load the linked CSS stylesheets or not. Gmail, for example, would never load those remote CSS files. If your webmail client does that, it's time to switch to a better one.<p>So he could inject links, which is annoying, but still a very minor issue. It may make phishing a bit easier, but you know what phishing has always worked against average Joe if you try hard enough. That means that this problem doesn't really give an attacker any advantages that he couldn't do by himself.<p>Disclaimer: I'm a member of the team that handles VRP.
I don't see the author's name in the linked Honorable Mentions page. Did someone from Google pull it because they didn't like this blog post? Searched for "tom", "Mathias", and "vago". No recent results for any of these search terms.
It looks like your options for formatting the content are pretty limited and you can't change the subject line nor the preamble about Google Scholar, so you wouldn't be able to, say, masquerade as a password recovery email or anything like that. Still, I personally feel like any content injection should be treated seriously.
Re. current discussions of security and code review because of NSA and other government entities corrupting standards. If Google and Facebook cannot find such simple errors and then even balk at implementing a fix, which turns out to reveal an even larger flaw, what hope is there.