Re: [Full-disclosure] Google open redirect

I think the reward is intended as a symbolic token of appreciation, and not
as compensation. That's why they give you the option to donate your cash
reward instead of keeping the money. I think what really drives researchers
into Google's program is recognition and not compensation, IMHO.

2011/12/8 Charles Morris <cmorris@xxxxxxxxxx>


IMHO, 500$ is an incredibly minute amount to give even for a error
message information disclosure/an open redirect,
researchers with bills can't make a living like that.. although it
might? be okay for students.

How many Google vulnerabilities per month are there expected to be?
Granted there are other avenues to pursue for a fledgling researcher,

What is the cost to Google's business if an open redirect causes their
image to be tarnished
by some arbitrary amount in the eyes of some percentage of consumers?

Considering Google grossed 30 billion dollars in 2010, (ridiculous) I
would expect that the numbers
we are talking about perhaps are so massive that 500$ is nothing in

We live in an age that pays 5k, or 30k, or 100k for a root level
in a common package with a reliable and solid exploit. At least that's
what I hear.

Even if everyone else's opinion says "500$ is too much for a redirect",
doesn't Google want to promote the industry by sharing a little of the
wealth to people with good intentions and ability?

It's time to raise the bar a little here, and I'm not just talking about

Why would Google ever suffer from these issues to begin with?
Can't Google, in it's infinite wisdom and 30 billion dollars, come up with
a better solution for whatever random problem they are trying to solve
with an open redirect?

n.b. I have never sold a vulnerability, even when non-pittance sums are


On Thu, Dec 8, 2011 at 12:15 AM, Michal Zalewski <lcamtuf@xxxxxxxxxxx>
_Open_ URL redirectors are trivially prevented by any vaguely sentient
web developer as URL redirectors have NO legitimate use from outside
one's own site so should ALWAYS be implemented with Referer checking

There are decent solutions to lock down some classes of open
redirectors (and replace others with direct linking), but "Referer"
checking isn't one of them. It has several subtle problems that render
it largely useless in real-world apps.

We have a vulnerability reward program, and it's just about not paying
$500 for reports of that vulnerability - along with not paying for
many other minimal-risk problems such as path disclosure.


Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -