Google says “oops!”

There is 1 reply in this Thread which has previously been viewed 1,087 times. The latest Post (June 16, 2025 at 9:40 PM) was by aficionado.

    They received $5000 USD for the bug bounty. Not a great amount, though considered a low risk issue.

    Quote



    Timeline

    • 2025-04-14 - Report sent to vendor
    • 2025-04-15 - Vendor triaged report
    • 2025-04-25 - 🎉 Nice catch!
    • 2025-05-15 - Panel awards $1,337 + swag. Rationale: Exploitation likelihood is low. (lol)
      Issue qualified as an abuse-related methodology with high impact.
    • 2025-05-15 - Appeal reward reason: As  per the Abuse VRP table, probability/exploitability is decided based on pre-requisites required for this attack and whether the victim can discover exploitation. For this attack, there are no pre-requisites and it cannot be discovered by the victim.
    • 2025-05-22 - Panel awards an additional $3,663. Rationale: Thanks for your feedback on our initial reward. We took your points into consideration and discussed at some length. We're happy to share that we've upgraded likelihood to medium and adjusted the reward to a total of $5,000 (plus the swag code we've already sent). Thanks for the report, and we look forward to your next one.
    • 2025-05-22 - Vendor confirms they have rolled out inflight mitigations while endpoint deprecation rolls out worldwide.
    • 2025-05-22 - Coordinates disclosure with vendor for 2025-06-09
    • 2025-06-06 - Vendor confirms that the No-JS username recovery form has been fully deprecated
    • 2025-06-09 - Report disclosed