lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 8 Dec 2011 14:57:49 +0000
From: Benji <me@...ji.com>
To: Charles Morris <cmorris@...odu.edu>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Google open redirect

Sorry, you think people should be making a living off reporting open
redirect disclosure?

On Thu, Dec 8, 2011 at 2:53 PM, Charles Morris <cmorris@...odu.edu> wrote:

> Michal/Google,
>
> IMHO, 500$ is an incredibly minute amount to give even for a error
> message information disclosure/an open redirect,
> researchers with bills can't make a living like that.. although it
> might? be okay for students.
>
> How many Google vulnerabilities per month are there expected to be?
> Granted there are other avenues to pursue for a fledgling researcher,
>
> What is the cost to Google's business if an open redirect causes their
> image to be tarnished
> by some arbitrary amount in the eyes of some percentage of consumers?
>
> Considering Google grossed 30 billion dollars in 2010, (ridiculous) I
> would expect that the numbers
> we are talking about perhaps are so massive that 500$ is nothing in
> comparison.
>
> We live in an age that pays 5k, or 30k, or 100k for a root level
> compromise,
> in a common package with a reliable and solid exploit. At least that's
> what I hear.
>
> Even if everyone else's opinion says "500$ is too much for a redirect",
> doesn't Google want to promote the industry by sharing a little of the
> wealth to people with good intentions and ability?
>
> It's time to raise the bar a little here, and I'm not just talking about
> bounty.
>
> Why would Google ever suffer from these issues to begin with?
> Can't Google, in it's infinite wisdom and 30 billion dollars, come up with
> a better solution for whatever random problem they are trying to solve
> with an open redirect?
>
>
> n.b. I have never sold a vulnerability, even when non-pittance sums are
> offered
>
> /rant
>
> On Thu, Dec 8, 2011 at 12:15 AM, Michal Zalewski <lcamtuf@...edump.cx>
> wrote:
> >> _Open_ URL redirectors are trivially prevented by any vaguely sentient
> >> web developer as URL redirectors have NO legitimate use from outside
> >> one's own site so should ALWAYS be implemented with Referer checking
> >
> > There are decent solutions to lock down some classes of open
> > redirectors (and replace others with direct linking), but "Referer"
> > checking isn't one of them. It has several subtle problems that render
> > it largely useless in real-world apps.
> >
> ...
> > We have a vulnerability reward program, and it's just about not paying
> > $500 for reports of that vulnerability - along with not paying for
> > many other minimal-risk problems such as path disclosure.
> >
> > /mz
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ