Sorry, you think people should be making a living off reporting open redirect disclosure?
On Thu, Dec 8, 2011 at 2:53 PM, Charles Morris <[email protected]> wrote: > Michal/Google, > > IMHO, 500$ is an incredibly minute amount to give even for a error > message information disclosure/an open redirect, > researchers with bills can't make a living like that.. although it > might? be okay for students. > > How many Google vulnerabilities per month are there expected to be? > Granted there are other avenues to pursue for a fledgling researcher, > > What is the cost to Google's business if an open redirect causes their > image to be tarnished > by some arbitrary amount in the eyes of some percentage of consumers? > > Considering Google grossed 30 billion dollars in 2010, (ridiculous) I > would expect that the numbers > we are talking about perhaps are so massive that 500$ is nothing in > comparison. > > We live in an age that pays 5k, or 30k, or 100k for a root level > compromise, > in a common package with a reliable and solid exploit. At least that's > what I hear. > > Even if everyone else's opinion says "500$ is too much for a redirect", > doesn't Google want to promote the industry by sharing a little of the > wealth to people with good intentions and ability? > > It's time to raise the bar a little here, and I'm not just talking about > bounty. > > Why would Google ever suffer from these issues to begin with? > Can't Google, in it's infinite wisdom and 30 billion dollars, come up with > a better solution for whatever random problem they are trying to solve > with an open redirect? > > > n.b. I have never sold a vulnerability, even when non-pittance sums are > offered > > /rant > > On Thu, Dec 8, 2011 at 12:15 AM, Michal Zalewski <[email protected]> > wrote: > >> _Open_ URL redirectors are trivially prevented by any vaguely sentient > >> web developer as URL redirectors have NO legitimate use from outside > >> one's own site so should ALWAYS be implemented with Referer checking > > > > There are decent solutions to lock down some classes of open > > redirectors (and replace others with direct linking), but "Referer" > > checking isn't one of them. It has several subtle problems that render > > it largely useless in real-world apps. > > > ... > > We have a vulnerability reward program, and it's just about not paying > > $500 for reports of that vulnerability - along with not paying for > > many other minimal-risk problems such as path disclosure. > > > > /mz > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
