Great job, Nils. I didn't know Google doubles the reward if it goes to charity.
I wonder why Microsoft doesn't have a similar program. Hotmail just got hacked pretty bad, and the hackers were selling the vulnerability for chump change in forums. What if they had an incentive to report it to Microsoft instead?
A slight tangent, but I'm curious, can Google claim the donation is from Google for tax purposes even though it's under the instruction of Nils instead of him receiving cash? If so, is that why they offer to double it?
Taxes had nothing to do with it. Early on, one of the Chrome VRP reporters asked that we donate his bounty to the International Red Cross. We all felt his generosity deserved some extra recognition, so we decided to top off the reward, and do the same in the future for approved charities. We also decided that unclaimed rewards would be paid to the International Red Cross.
That's pretty much the whole story. It was a quick email thread between a few people in Chrome Security and Google Security.
There's some cultural ... thing ... that makes it seem bad to donate to charity if you have some other motive, like ego or a tax deduction. I don't really understand why, but a lot of people feel that way.
Google can take a deduction for the full amount, whether it's a charitable donation (in which case they can deduct it as a charitable donation) or a payment (in which case it reduces the profit of the enterprise, on which tax is calculated).
Can someone clarify the whole charity tax deduction thing?
Unless tax is at >100% (or 50%?), surely there's no gain from doubling donations to benefit from tax deduction? Or am I not understanding something here?
I'm always curious as to why such an obvious bug couldn't be detected automatically. Some piece of code is printing a user name without sanitizing it. Fixing that particular bug is easy, but the real challenge is that the existence of the bug proves that your verification methodology has holes.
That is a good question, but I guess the answer is that XSS bugs are particularly hard to catch. Static code analysis can't know if a particular field you use in your templates (or wherever it is that your html gets rendered) is user supplied or not. You can try to catch it using manual code reviews, explicitly marking code that should not be escaped, etc., but it's easy to loose track of it. You also try and have a number of users with names like this in your testing environment, but is not fail-save either.