oh another of those bounties programs... but maybe this one is different from the rest?<p>If you ever find any security issue don't expect to obtain a bounty from the big corps easily, and not even a "thanks". Once, the co-founder of one of the most important security companies told me "do not expect to receive a bounty without sending a minimum of 10 emails explaining the same thing in 10 different ways... average 20". It's a sad truth, and I think this means that usually legit critical security issues reports will not be properly rewarded because most people get tired quickly.<p>One year ago I discovered a session hijacking vulnerability on Facebook, the guy who respond my messages didn't even know what secure flag is. After asking me how to solve the bug (the solution was actually pretty simple) they never replied to me again.<p>With Google was the same thing: last year I found leakage of sensitive user information because of bad cookies configuration, 0 bounties 0 thanks.<p>Another bad experience I had with Google, but maybe a bit of topic (sorry): almost two years ago the gmail's cert changed for apparent no reason using a new CA, and it seemed that nobody else was having this issue (ie no mentions of this new cert on the web, googling the fingerprint returned 0 results) except me. I accepted this new cert on my laptop in my home; but then the "funniest" thing happened: when I connected to gmail from my university the previous cert appeared again, "it's ok.. nothing strange is happening here", but then when I went back to my home the new cert showed up again! my paranoid level went to over 9000 and immediately I connected through Tor to gmail (yup, the old nice cert was there again) and sent an encrypted mail to google's security team explaining everything, with the fingerprints and certs info, _including_ at the end of my message my pgp pubkey.
One week and a half latter.. I received an email from the "security team": they replied my message in plain text, my message was quoted unencrypted (!) and they asked me how I discovered this, I told them that my browser checks for every new cert. I also told them if it would be possible to not quote in plain text encrypted mails. Then, after two days I got a new email from them, again plain taxt, and it was pretty minimalistic "We checked out and the new certificate is ok" EOF no digital signature no nothing, wtf!
oh well... at least on the next day I connected to gmail in my home and the old good cert was there again :) (and the strange new cert never appeared again). A late Halloween story.