I woudn't like to discourage ppl submitting vulns to vendors but this is the response you'll most likely to get from those kind of vendors no matter what you found in their system. I had more than a dozen similar experience like yours. Now it's public + fixed and you gotta get nothing beside these replies (:
> Message: 10 > Date: Wed, 26 Jan 2011 01:33:16 -0800 > From: IEhrepus <5up3r...@gmail.com> > Subject: [Full-disclosure] www.google.com xss vulnerability Using > mhtml > To: full-disclosure@lists.grok.org.uk > Cc: s...@rckc.at > Message-ID: > > <aanlktinf+xicfvrw86cm-m0uhw_o0xzk1xfhfwtnr...@mail.gmail.com<aanlktinf%2bxicfvrw86cm-m0uhw_o0xzk1xfhfwtnr...@mail.gmail.com> > > > Content-Type: text/plain; charset=UTF-8 > > Long, long time ago, we heard an interesting legend is www.google.com > will Pay for its vulnerability,so we want to try ... > > lucky,A vulnerability has been caught by my friend > PZ[http://hi.baidu.com/p__z], this vul is base on ?Hacking with mhtml > protocol handler?[ > http://www.80vul.com/mhtml/Hacking%20with%20mhtml%20protocol%20handler.txt > ]: > > mhtml:http://www.google.com/gwt/n?u=[mhtml file url]!xxxx > > we are very happy,so we post it to secur...@google.com for the legend > :)[2011/01/23].We got a reply soon [2011/01/24]: > > --------------------------------------------------- > Hi Pavel, > > Nice catch! I?ve filed a bug internally and will keep you in the loop > as things progress. > > Regards, > xxx- Google Security Team > -------------------------------------------------- > > but ..... > > ------------------------------------------------- > Hi Pavel, > > The panel has determined this doesn't qualify for a reward for 2 reasons: > > 1) A very close variant was publicly disclosed on 21 Jan: > http://www.wooyun.org/bugs/wooyun-2010-01199 > 2) Technically, it's not a bug in Google, it's really a big in IE. > > Cheers, > xxx, Google Security Team > ----------------------------------------------- > > and Today we test the vul again ,it has been fixed .[2011/01/26] > > Thus, we understand the unspoken rules of this, This is a football > game, the vulnerability is the ball , MS and GG are the players > > > ----by superhei from http://www.80vul.com > > > > > hitest >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/