Google bug bounty for security exploit that influences search results

Google should be ashamed of themselves for this meaningless, token “make ourselves feel good” payout. They have straight up exploited the reporter of the exploit.<p>This could have been used to make millions and they took advantage of the reporter’s good faith and benevolent motivations.<p>Google, this is worth at least $1,0000,000 to you guys, and even more, in lost revenue, plus the impact of what gaming your search algorithm would have cost and damage to your reputation. Stop taking advantage of people.<p>Give this man what he deserves!

@TomAnthony, This is f*up, google should of given you at least $1,337,000 bounty for this. This is one of the most profitable exploits I&#x27;ve seen discovered by anyone. Plus you&#x27;ve done the right thing and reported it. Good job on this discovery!<p>&quot;I have a couple of other ideas for search related attacks, but am not sure I&#x27;m going to explore them any longer.&quot;<p>You&#x27;re valuing yourself way too low. You&#x27;ve done a good job with this and should receive more bounty for it. Also see if you can earn more for doing research else where; <a href="https:&#x2F;&#x2F;www.bugcrowd.com&#x2F;bug-bounty-list&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.bugcrowd.com&#x2F;bug-bounty-list&#x2F;</a> Also maybe use something like; <a href="https:&#x2F;&#x2F;www.hackerone.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.hackerone.com&#x2F;</a>

To answer a few FAQs I&#x27;ve had over the last few days:<p>- I&#x27;ve not seen a confirmed use of this in the wild yet, despite a few people emailing me stories where they suspect it.<p>- I am unsure what is with the bug bounty amount. I think either:<p><pre><code> 1) The various teams didn&#x27;t communicate well about the impact until after the award, 2) I haven&#x27;t fully understood the bug, however as per VRP rules I stopped when I had &quot;discovered a potential security issue&quot;, at which point &quot;The panel will consider the maximum impact&quot;. It may be I&#x27;ve not understood the impact fully. 3) They want to discourage SEO type research as opposed to pure security research, but I doubt that is the case and it doesn&#x27;t match up with my previous dealings with the team. </code></pre> - There are a few technical details not in the article (for example I believe the sitemap has to be an sitemap index file), but nothing that greatly changes it.<p>- If you are concerned you are affected, I&#x27;m happy to take a quick look at your data for free (tom.anthony@distilled.net) to see if I have any insights.<p>- The best&#x2F;only way to detect this being done to you is to find the 301&#x2F;302 redirects for the sitemap in your server logs.

I’ve worked at other companies in teams that take these security reports in. There’s no excuse for their long delays in response, you showed them clear abuse immediately. I wish you would have given them the tavis experience. Next time use Google’s own terms, with a set date on when you will publish to put pressure on them. They do this to others and need to be held to the same standards.<p>Nice work! It is amazing how a bug that so many people don’t care about (open redirects) could have been exploited Google’s prime income generator.<p>If nothing else, you can use this as a nice gem on your resume, which can help you get more interviews or better paying jobs in the future.

$1337 is not enough money. A bug like this if used secretly and correctly could have made millions easily.

This is an incredible bug, not just for its severity, but for its relative simplicity. And of course because it targets one of the most ubiquitous and popular and ostensibly secure software interfaces ever.<p>Also very interesting how long it took for them to figure out a solution. The bug report was filed and acknowledged in late September. According to the author, Google struggled with how to fix the issue for several months, even though the fix seemed simple (&quot;don’t follow cross-domain redirects for pinged sitemaps&quot;).

Looking at the bounty amounts, this is insane. If you find a bug that allows you to take over a Google account, through &quot;Logic flaw bugs leaking or bypassing significant security controls&quot;, the <i>maximum</i> payout is $13,337.<p>Sorry Google, but you should be paying $1,333,337 for that.

I&#x27;m with pretty much everyone else here. As symbolic as $1337 is, this is worth far more.<p>That said, if one had taken advantage of this, what legal repercussions could or would you face? I mean, technically I can&#x27;t see anything _illegal_ here, albeit unethical. Assuming you wanted to, isn&#x27;t this just playing the system?

This is really great research. I don&#x27;t understand howcome Google didnt react sooner. It&#x27;s the biggest black hat exploit I have seen in years.

$1337 is a joke. This bug is worth so much more than that in potential lost revenue to Google!

There&#x27;s nothing on the VRP which effectively covers business logic vulnerabilities. Realistically, this would be precisely why such a category would be needed.<p>Closest I can fit it into within their existing scheme is:<p>&gt; Logic flaw bugs leaking or bypassing significant security controls -- Other highly sensitive applications [2] -- Vulnerabilities giving direct access to Google servers<p>But that&#x27;s a stretch, and the payout is still atrociously low for the value you could&#x27;ve squeezed out of it, potentially legitimately (millions).<p>TomAnthony, in your position, I&#x27;d keep making a stink here and possibly even see what other quirks you might find in PageRank and just pocket them for now. I&#x27;ve reached out to some old members of the VRP team to see if they can shed any light on whether the VRP can be tuned a bit in response to this, but you certainly should&#x27;ve gotten more.

Has anyone ever heard of another case like this? I&#x27;ve been following search pretty closely for most of Google&#x27;s existence and this is the only bug bounty payout I&#x27;ve ever heard of for a blackhat core algo exploit.<p>[Disclaimer: Tom&#x27;s a colleague of mine at Distilled where I&#x27;m a founder]

As others have said, $1337 for such a bug is pathetic.<p>The point of a bug bounty is to give researchers an incentive to report bugs rather than sell or abuse them. This does exactly the opposite for me.

$1337 bounty is a symbolic number to signify the receiver is an elite hacker.<p>So, it&#x27;s the meaning that counts, not the amount.<p>edit: source: <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Leet" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Leet</a>

Set up a Patreon and a Donate button.<p>I wish Google had paid you more, but maybe the people in this thread will put their Money where their Outrage is, and thank you themselves.

A commenter (@ivan2kh) raises a good question... what happens if you submit &quot;evil.xml&quot; on &quot;<a href="https:&#x2F;&#x2F;www.amazon.com&#x2F;clouddrive&#x2F;share&#x2F;xxx&quot;" rel="nofollow">https:&#x2F;&#x2F;www.amazon.com&#x2F;clouddrive&#x2F;share&#x2F;xxx&quot;</a>, or similar? Any host that allows user submitted files, and hosts them under their domain, could be exploited right?

Receiving 1337 $s from Google is awesome, but that bug bounty should have been higher.

Although I agree that $1337 is definitely WAY too low, it&#x27;s also someone&#x27;s job to budget this and minimize payouts.<p>To Google, 100k is nothing and in good faith, they should definitely reward more, but when it ties into someone&#x27;s KPI, it will be tough to get more. They&#x27;d have to work with PR to understand the tradeoffs, etc.

Wow, this is a great find with enormous potential impact. Kudos!<p>The payout from Google seems very low, this bug took their core business model on a ride.<p>Cool find!

Great work, and kudos for reporting it.<p>It’s worth noting that Google took 5 months to fix, and almost discard it a couple of times.

The bounty is incredibly low.

I hope you made yourself significantly more money out of this than $1,337...