This could have been used to make millions and they took advantage of the reporter’s good faith and benevolent motivations.
Google, this is worth at least $1,0000,000 to you guys, and even more, in lost revenue, plus the impact of what gaming your search algorithm would have cost and damage to your reputation. Stop taking advantage of people.
Give this man what he deserves!
Someone with truly benevolent motivations does good things because they believe it's the right thing to do -- not because of a monetary reward. I'm not saying they shouldn't pay him more, but I think it's going a bit far to say they're "taking advantage of him".
If I find a wallet on the ground and there's $200 cash in it, I'll return it to the owner and leave all the money there. I don't expect a reward and certainly don't feel like I'm being taken advantage of if they don't give me some of that $$.
This category includes products such as Google Search
But it is probably intended to mean the front end of it, rather than the ranking algorithm.
Perhaps it would make sense for a third-party "bounty escrow" agency to exist. The escrow agency may be able to provide impartial arbitration of the exploit, and this may have the side effect of coming to a decision faster and promoting a quicker actual bug fix for the end-users.
It's literally their numbers spitting out how much it would have cost!
But hey, at least it's Leet.
This is a pretty cool exploit.
"I have a couple of other ideas for search related attacks, but am not sure I'm going to explore them any longer."
You're valuing yourself way too low. You've done a good job with this and should receive more bounty for it. Also see if you can earn more for doing research else where; https://www.bugcrowd.com/bug-bounty-list/ Also maybe use something like; https://www.hackerone.com/
- I've not seen a confirmed use of this in the wild yet, despite a few people emailing me stories where they suspect it.
- I am unsure what is with the bug bounty amount. I think either:
1) The various teams didn't communicate well about the impact until after the award,
2) I haven't fully understood the bug, however as per VRP rules I stopped when I had "discovered a potential security issue", at which point "The panel will consider the maximum impact". It may be I've not understood the impact fully.
3) They want to discourage SEO type research as opposed to pure security research, but I doubt that is the case and it doesn't match up with my previous dealings with the team.
- If you are concerned you are affected, I'm happy to take a quick look at your data for free (email@example.com) to see if I have any insights.
- The best/only way to detect this being done to you is to find the 301/302 redirects for the sitemap in your server logs.
The VRP page  talks about the "maximum impact" and this impacts users and advertisers, as well as businesses relying on organic Google traffic.
However, I take your point - I'm aware this is not a typical sort of issue for a bounty.
To reiterate - I am grateful to Google that they run the bounty programme and that they awarded a bounty for this. I've previously reported several issues (e.g. ) that have not been rewarded any bounty, which is the nature of the programme and absolutely fine.
Nice work! It is amazing how a bug that so many people don’t care about (open redirects) could have been exploited Google’s prime income generator.
If nothing else, you can use this as a nice gem on your resume, which can help you get more interviews or better paying jobs in the future.
I've been doing research like this for 5+ years, and you go in knowing most if it won't lead to anything. I'd hoped for more, but I could have simply failed again and got nothing! :)
As I've said below, I'd have reported it anyway even without a bounty; however I probably wouldn't have done the research in the first place were there not a bug bounty programme.
I've previously had 2 bounties from Google. One was an easy find and was also $1337. The other was more technical but still straight forward and also played to SEO and got $5000 - in that instance Matt Cutts was involved and I believe advocated for the amount (thanks, Matt!). This was far more impactful than that other issue, and more directly monetisable.
However, I have to admit it does nag at me a bit that the bounty is so small - it is like they are trying to send a message but I'm just not sure what it is!
I have done loads of research over the last 5 years (this exploit took me a couple of months to craft) and most comes to nothing, and then when I do find something big that the bounty is so small is frustrating. A bigger bounty would have made a meaningful difference to me (kids+no savings!).
The broader issue is how this may play to motivating people to discover/report these sorts of issues in the future. I have a couple of other ideas for search related attacks, but am not sure I'm going to explore them any longer.
The fact is that these bug bounty programs should start paying competitive prices. They can lowball it by 10x-20x at most, but lowballing by 1000x leads to people just giving up their ethics.
Uncovering bugs that aren't attached to bug bounty programs still has external benefits for the security community.
Thanks for your work here, even without such a program.
Agreed. Relative to the value of exercising this exploit, your bounty is missing a few 0’s at the end. I hope that you at least get some professional credit for this, and that it translates to a financial boost. You certainly deserve it for discovering something like this and doing the right thing with it.
For example I could leverage the equity of a US made second hand car marketplace and to rank my site in the UK and list UK Autotrader listings on my site. They have a nice affiliate program for clicks/leads.
Alternatively, I may only operate in one country but I could 'top up' by equity by leeching it from a company in a similar niche in another country. My competitors in my home country would be at a loss to how I'm ranking so well.
It should be noted that there are a number of parameters that may change between my initial experiment and these uses, so we'll never know how viable it really was.
Also very interesting how long it took for them to figure out a solution. The bug report was filed and acknowledged in late September. According to the author, Google struggled with how to fix the issue for several months, even though the fix seemed simple ("don’t follow cross-domain redirects for pinged sitemaps").
Sorry Google, but you should be paying $1,333,337 for that.
That said, if one had taken advantage of this, what legal repercussions could or would you face? I mean, technically I can't see anything _illegal_ here, albeit unethical. Assuming you wanted to, isn't this just playing the system?
It would certainly be unethical, and if it is illegal it may mean many other shady black hat SEO practices are also illegal. I really have no idea though - would be interesting if there is a lawyer reading to hear any thoughts.
Closest I can fit it into within their existing scheme is:
> Logic flaw bugs leaking or bypassing significant security controls -- Other highly sensitive applications  -- Vulnerabilities giving direct access to Google servers
But that's a stretch, and the payout is still atrociously low for the value you could've squeezed out of it, potentially legitimately (millions).
TomAnthony, in your position, I'd keep making a stink here and possibly even see what other quirks you might find in PageRank and just pocket them for now. I've reached out to some old members of the VRP team to see if they can shed any light on whether the VRP can be tuned a bit in response to this, but you certainly should've gotten more.
I'm British so not good at kicking up a stink! However, it is Google's VRP, and they are under no obligation to give anyone anything, so am not sure I have grounds to do so anyway. As I've said elsewhere, it is just hugely de-motivating and a disincentive (for both me and others) for similar research in future.
I think it would be a great addition to the VRP for them to include things affecting the core algo (their main product), but imagine it would be tricky to do without also getting a huge number of very tenuous reports.
[Disclaimer: Tom's a colleague of mine at Distilled where I'm a founder]
But they don't list any bounty rewards there. Tom should be on this list too, this could land him a nice job.
The point of a bug bounty is to give researchers an incentive to report bugs rather than sell or abuse them. This does exactly the opposite for me.
So, it's the meaning that counts, not the amount.
edit: source: https://en.wikipedia.org/wiki/Leet
Still, I believe that a more heavily accented/long "e", like in $13337 would have been graciously received ...
I wish Google had paid you more, but maybe the people in this thread will put their Money where their Outrage is, and thank you themselves.
To Google, 100k is nothing and in good faith, they should definitely reward more, but when it ties into someone's KPI, it will be tough to get more. They'd have to work with PR to understand the tradeoffs, etc.
The payout from Google seems very low, this bug took their core business model on a ride.
It’s worth noting that Google took 5 months to fix, and almost discard it a couple of times.