i'm glad you're so concerned with security. i wish you were concerned enough to not deliver my emails and chats to the US government. http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data
i'm extremely disappointed in you Google. i'm Canadian, tell me this article isn't true. Or better yet, just delete this comment and pretend everything's great.
Sadly, no one bothered to report the vulnerability of Google to government mass surveillance - I'm sure that Google would have promptly fixed them and rewarded the reporter.
Perhaps this particular incentive would be better focused internally, rather than eternally. Having the most secure browser (or OS) means little if the data isn't safeguarded on the back end.
Having had little confidence in the transparency of Google (and other providers) with regard to government requests for customer information and activity, it is likely that denials will be forthcoming. And even if Google and the others were unwilling participants in PRISM, it certainly denigrates their credibility in matters of security.
That is good to know how much Google value holes in its arse. But what about usability bugs? Or people/ customer’s satisfaction is worthless for Google?
I have taken all the security measures printed by Google and others, but my password continues to get changed with email and Google products reviewed; including Adsense and PayPal activity. When I login w/2step verif. n codes, etc. a hacker is able to wedge in from somewhere. Then my pswrd is change, access to dashboard/activity are blocked w their password, notifications are permanently turned off , other changes are made n re-login does not allow 2step again. By the time I get a new pswrd n logged back in, the culprit already has what he/she came for. This is a new one on me. I have been wrestling with this one all day today.
I have similiar problem. My open ID is common known (I didn't register any. Intruders got acces to my G plus, Gmail, Blogger, Picassa, Chrome, YouTube. Two times I revoke account on G wallet - though I didn't register on it. I used to love Google but now I start to hate it. I can't delete one account e.g. because I'll lost all of them - includes Youtube where I'm present since 2006.
December 7, 2013 at 12:24 PM
Posted by Adam Mein and Michal Zalewski, Security Team
Our vulnerability reward programs have been very successful in helping us fix more bugs and better protect our users, while also strengthening our relationships with security researchers. Since introducing our reward program for web properties in November 2010, we’ve received over 1,500 qualifying vulnerability reports that span across Google’s services, as well as software written by companies we have acquired. We’ve paid $828,000 to more than 250 individuals, some of whom have doubled their total by donating their rewards to charity. For example, one of our bug finders decided to support a school project in East Africa.
In recognition of the difficulty involved in finding bugs in our most critical applications, we’re once again rolling out updated rules and significant reward increases for another group of bug categories:
Cross-site scripting (XSS) bugs on https://accounts.google.com now receive a reward of $7,500 (previously $3,133.7). Rewards for XSS bugs in other highly sensitive services such as Gmail and Google Wallet have been bumped up to $5,000 (previously $1,337), with normal Google properties increasing to $3,133.70 (previously $500).
The top reward for significant authentication bypasses / information leaks is now $7,500 (previously $5,000).
As always, happy bug hunting! If you do find a security problem, please let us know.
12 Comments
Close this window Jump to comment formi'm glad you're so concerned with security. i wish you were concerned enough to not deliver my emails and chats to the US government. http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data
i'm extremely disappointed in you Google. i'm Canadian, tell me this article isn't true. Or better yet, just delete this comment and pretend everything's great.
June 6, 2013 at 10:17 PM
Sadly, no one bothered to report the vulnerability of Google to government mass surveillance - I'm sure that Google would have promptly fixed them and rewarded the reporter.
June 7, 2013 at 2:18 AM
Exploit: Allows an attacker full access to gmail, videos, photos, voice/video chat, contacts, etc.
Steps to reproduce: Send Google a letter saying that you represent the NSA. Add a post script saying, "hey, this is just between us."
June 7, 2013 at 11:06 AM
Great Rewards, Hack The Bug!
June 7, 2013 at 12:45 PM
Perhaps this particular incentive would be better focused internally, rather than eternally. Having the most secure browser (or OS) means little if the data isn't safeguarded on the back end.
Having had little confidence in the transparency of Google (and other providers) with regard to government requests for customer information and activity, it is likely that denials will be forthcoming. And even if Google and the others were unwilling participants in PRISM, it certainly denigrates their credibility in matters of security.
June 7, 2013 at 2:20 PM
this is amazing
June 10, 2013 at 2:02 AM
That is good to know how much Google value holes in its arse. But what about usability bugs? Or people/ customer’s satisfaction is worthless for Google?
June 11, 2013 at 10:06 AM
Well, u shud increase da bounty price more! That's too less 4 u Google..
June 26, 2013 at 11:36 PM
Awesome Rewards! It's time to hack bounties :D
August 7, 2013 at 11:07 PM
uhm wish i knwe some code, i could make a living out of this
August 13, 2013 at 12:57 AM
I have taken all the security measures printed by Google and others, but my password continues to get changed with email and Google products reviewed; including Adsense and PayPal activity. When I login w/2step verif. n codes, etc. a hacker is able to wedge in from somewhere. Then my pswrd is change, access to dashboard/activity are blocked w their password, notifications are permanently turned off , other changes are made n re-login does not allow 2step again. By the time I get a new pswrd n logged back in, the culprit already has what he/she came for. This is a new one on me. I have been wrestling with this one all day today.
September 6, 2013 at 10:35 PM
I have similiar problem. My open ID is common known (I didn't register any. Intruders got acces to my G plus, Gmail, Blogger, Picassa, Chrome, YouTube. Two times I revoke account on G wallet - though I didn't register on it. I used to love Google but now I start to hate it. I can't delete one account e.g. because I'll
lost all of them - includes Youtube where I'm
present since 2006.
December 7, 2013 at 12:24 PM