lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 8 Dec 2011 09:53:52 -0500
From: Charles Morris <cmorris@...odu.edu>
To: Michal Zalewski <lcamtuf@...edump.cx>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Google open redirect

Michal/Google,

IMHO, 500$ is an incredibly minute amount to give even for a error
message information disclosure/an open redirect,
researchers with bills can't make a living like that.. although it
might? be okay for students.

How many Google vulnerabilities per month are there expected to be?
Granted there are other avenues to pursue for a fledgling researcher,

What is the cost to Google's business if an open redirect causes their
image to be tarnished
by some arbitrary amount in the eyes of some percentage of consumers?

Considering Google grossed 30 billion dollars in 2010, (ridiculous) I
would expect that the numbers
we are talking about perhaps are so massive that 500$ is nothing in comparison.

We live in an age that pays 5k, or 30k, or 100k for a root level compromise,
in a common package with a reliable and solid exploit. At least that's
what I hear.

Even if everyone else's opinion says "500$ is too much for a redirect",
doesn't Google want to promote the industry by sharing a little of the
wealth to people with good intentions and ability?

It's time to raise the bar a little here, and I'm not just talking about bounty.

Why would Google ever suffer from these issues to begin with?
Can't Google, in it's infinite wisdom and 30 billion dollars, come up with
a better solution for whatever random problem they are trying to solve
with an open redirect?


n.b. I have never sold a vulnerability, even when non-pittance sums are offered

/rant

On Thu, Dec 8, 2011 at 12:15 AM, Michal Zalewski <lcamtuf@...edump.cx> wrote:
>> _Open_ URL redirectors are trivially prevented by any vaguely sentient
>> web developer as URL redirectors have NO legitimate use from outside
>> one's own site so should ALWAYS be implemented with Referer checking
>
> There are decent solutions to lock down some classes of open
> redirectors (and replace others with direct linking), but "Referer"
> checking isn't one of them. It has several subtle problems that render
> it largely useless in real-world apps.
>
...
> We have a vulnerability reward program, and it's just about not paying
> $500 for reports of that vulnerability - along with not paying for
> many other minimal-risk problems such as path disclosure.
>
> /mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ