

How I could delete any video on YouTube - mukyu
http://kamil.hism.ru/posts/about-vrg-and-delete-any-youtube-video-issue.html

======
TomGullen
People saying he should of gotten more than $5k, it sounds like he accepted a
decent sum just to spend time looking with no requirement to find bugs! To me,
that sounds like he was compensated fairly from the go and any extra is just a
bonus.

~~~
NietTim
Yeah...He spent 6~7 hours on it. Seems like a fair deal to me. Others suggest
he should have deleted all JB's videos because it would have been more
rewarding then getting 5K. Guess they forgot about the attached jail time with
that one.

------
superasn
I remember last year someone discovered a very similar bug in Google's
Webmaster tool that would let any person remove any site from Google's search
results[1]. It's a wonder that bugs such as this are there in Google's site.

[1] [http://searchengineland.com/google-disables-url-removals-
aft...](http://searchengineland.com/google-disables-url-removals-after-bug-
allows-anyone-to-remove-any-site-86352)

------
nahushrk
While it would be great for him to get paid more than 5k for such high
nuisance value bug, it'll be a bit difficult to figure out a metric to fairly
put a price on a bug. Bug bounties are based on efforts and not on what you
happen to find. Its like a lottery and it seems just about right for companies
to keep a standard reward for all bugs. I really like the idea of paying for
time spent+bug reward though.

------
xmm8
Now that's a critical bug.

~~~
scrapcode
Absolutely critical. And he got $5k? Glad his ethics are sound.

~~~
dsacco
This bug is probably worth about that much. It was a good find, however.

~~~
azinman2
Why so little? Its a pretty damn critical bug especially if it were use
judiciously -- it might be really hard to detect. For a company with billions
it seems like they should have better incentivized this. I'd imagine China
would have paid a lot more for this bug, or one of the upcoming presidential
campaigns, for example.

~~~
kamilhism
Yes, this bug is worth more than $5k. To be honest I expected $15k - $20k :) I
wanted to write a kind of "complain" to Google, but first I reread a Google
Vulnerability Reward Program Rules and understood that Google could not pay me
more. Take a look at the table here:
[http://www.google.com/about/appsecurity/reward-
program/index...](http://www.google.com/about/appsecurity/reward-
program/index.html#rewards), YouTube is a "Normal Google application", this
bug is in "Logic flaw bugs leaking or bypassing significant security controls"
category. So that's mean that Google rewarded me a maximum reward - $5,000 :)

Facebook has not got a boundary for maximum reward, so they can pay as much as
they want…

------
swframe
Like other serious business flaws (e.g. the GM key ignition bug), companies
weigh the risks and can conclude that it is cheaper to respond the problem
than to fix it proactively. As a result, should the government require
businesses with sensitive data to implement bug bounties?

~~~
smt88
> _As a result, should the government require businesses with sensitive data
> to implement bug bounties?_

No. They should go further. We should have a law, similar to Sarbanes-Oxley,
that forces companies to undergo a security audit every year.

Otherwise, we're going to be in an endless cycle, where companies refuse to
invest in security, a huge breach occurs, and everyone suffers.

The current system does not incentivize investments in security because they
hurt the bottom line and have no tangible, immediate value to shareholders.
That's a dangerous situation.

~~~
icebraining
Having read about multiple "security audits" done by under the PCI-DSS and
similar mandates, my faith in their effectiveness is pretty low. This is an
(admittedly extreme) example: [http://serverfault.com/questions/293217/our-
security-auditor...](http://serverfault.com/questions/293217/our-security-
auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants)

I'd rather see some security standards (updated yearly or so) and heavy fines
and reimbursements after an hack (not necessarily malicious - proof of concept
published by a white hacker would do), if the security was lax. Triple them if
the company hid the fact that they had been hacked.

~~~
smt88
It's just impossible to avoid being hacked. If you're a big enough target,
someone on the bleeding edge is going to have the desire and ability to get
you. What if you're hacked because of a secret NSA backdoor installed in some
firmware?

Fining companies heavily for being hacked is like fining someone for being
rained on. Except, in this case, the rain is pretty much a guarantee, and the
person knows that, and when they get rained on, their customers get screwed.
So you fine them for not having an umbrella.

An audit doesn't necessarily need to be done the way it has before. It could
even just be a bug bounty hackathon, like the big browsers do.

If whitehats had a ton of easy-to-find work to do, there'd probably also be
fewer blackhats.

~~~
icebraining
It seems you missed the "(...) if the security was lax" part.

------
raz32dust
I don't think we should correlate the reward with the impact of the bug. Going
that route, even 20k is not really enough.

~~~
rjaco31
I don't see your point. If such a vuln could cause damage massively bigger
than 20k, why is it so stupid to reward the one who found it with a
corresponding amount?

~~~
mmahemoff
I actually agree $20K would seem fairer here, but to answer your question, one
reason it may not correlate closely is that you're only referring to the
demand side, ie how valuable is this discovery to Google?

The compensation level also comes down to the supply side - how many other
people might have discovered this bug shortly after this?

For this reason, there's probably a good argument to increase the reward
according to how long the vulnerability was present, to the extent that's
knowable. (More so with an open source libraries under version control than a
website.)

------
mariojv
Avast blocked this site for having malware. Is this false detection or is
there actually malware on the site?

~~~
ars
Looks false to me. Only script I don't recognize is "uptolike.com".

------
fffrad
It's the littlest bugs that do the most harm. Bieber got lucky this time.

