On top of that, Google spent millions of dollars to buy Chrome exploits, sandbox bypasses and webapp bugs. So, if this was a REAL bug with some REAL security impact, I don't think Google wouldn't have paid.
They have a REAL budget for that, they are not like Yahoo that sends you a t-shirt. The security industry has become a big business for many, with bug bounties, no more free bugs (and hugs), 100 pages of low/info risk findings bumped to high risk to scare the customer, and so on. At least do not pretend money when there is no security bug, and in general don't be a pretender if you don't have a clue. Cheers antisnatchor Mario Vilas wrote: > I believe Zalewski has explained very well why it isn't a vulnerability, > and you couldn't possibly be calling him hostile. :) > > > On Sat, Mar 15, 2014 at 11:20 AM, M Kirschbaum <pr...@yahoo.co.uk> wrote: > >> I have been watching this thread for a while and I think some people are >> being hostile here. >> >> There is nothing to gain being on eithers side but for the sake of >> security. As a penetration tester, writer, and malware analyst with a long >> and rewarding career...it would be absurd to admit that this is not a >> vulnerability. If the content-type fields can be altered and the API >> accepts it that is undoubtedly a vulnerability, I believe that it shouldn't >> be there. It would be a shame to say that this is not a security problem. >> I have seen different responses on this thread but having seen the proof of >> concept images as well I just think that some of the people commenting here >> are just being hostile. >> >> It doesn't take much for somebody in the field, to see clearly that Google >> does not want to pay. And I bet any amount of money that the bug bounty >> program is a way for filing potential threats by name and bank details. >> >> Rgds, >> M. Kirschbaum >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- Cheers Michele
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
