[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAEJizbaCBJ=NXm-TQ=36MRWNaPU=5EN5ErxxOv1BkHUP8B3Kfw@mail.gmail.com>
Date: Thu, 8 Dec 2011 14:57:49 +0000
From: Benji <me@...ji.com>
To: Charles Morris <cmorris@...odu.edu>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Google open redirect
Sorry, you think people should be making a living off reporting open
redirect disclosure?
On Thu, Dec 8, 2011 at 2:53 PM, Charles Morris <cmorris@...odu.edu> wrote:
> Michal/Google,
>
> IMHO, 500$ is an incredibly minute amount to give even for a error
> message information disclosure/an open redirect,
> researchers with bills can't make a living like that.. although it
> might? be okay for students.
>
> How many Google vulnerabilities per month are there expected to be?
> Granted there are other avenues to pursue for a fledgling researcher,
>
> What is the cost to Google's business if an open redirect causes their
> image to be tarnished
> by some arbitrary amount in the eyes of some percentage of consumers?
>
> Considering Google grossed 30 billion dollars in 2010, (ridiculous) I
> would expect that the numbers
> we are talking about perhaps are so massive that 500$ is nothing in
> comparison.
>
> We live in an age that pays 5k, or 30k, or 100k for a root level
> compromise,
> in a common package with a reliable and solid exploit. At least that's
> what I hear.
>
> Even if everyone else's opinion says "500$ is too much for a redirect",
> doesn't Google want to promote the industry by sharing a little of the
> wealth to people with good intentions and ability?
>
> It's time to raise the bar a little here, and I'm not just talking about
> bounty.
>
> Why would Google ever suffer from these issues to begin with?
> Can't Google, in it's infinite wisdom and 30 billion dollars, come up with
> a better solution for whatever random problem they are trying to solve
> with an open redirect?
>
>
> n.b. I have never sold a vulnerability, even when non-pittance sums are
> offered
>
> /rant
>
> On Thu, Dec 8, 2011 at 12:15 AM, Michal Zalewski <lcamtuf@...edump.cx>
> wrote:
> >> _Open_ URL redirectors are trivially prevented by any vaguely sentient
> >> web developer as URL redirectors have NO legitimate use from outside
> >> one's own site so should ALWAYS be implemented with Referer checking
> >
> > There are decent solutions to lock down some classes of open
> > redirectors (and replace others with direct linking), but "Referer"
> > checking isn't one of them. It has several subtle problems that render
> > it largely useless in real-world apps.
> >
> ...
> > We have a vulnerability reward program, and it's just about not paying
> > $500 for reports of that vulnerability - along with not paying for
> > many other minimal-risk problems such as path disclosure.
> >
> > /mz
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists