Hacker News new | past | comments | ask | show | jobs | submit login

Appalling handling on Google’s end here. The duplicate issue part I can understand, but why should it take two reports of a critical vulnerability to take action? Surely when the first one comes through it’s something you jump on, fix and push out ASAP, not give delay to the point where a second user can come along, find the bug, and report it.

The refactor that’s mentioned towards the end of the article is great, but would you not just get a fix out there as soon as possible, then work on a good fix after that? For a company that claims to lead the way in bug bounty programs this is a pretty disappointing story.




You can read in the conversation that Google was not able to reproduce it the first time the bug was submitted:

> The same issue was submitted to our program earlier this year, but we were not able to reproduce the vulnerability. When you submitted your report, we were able to identify and reproduce the issue and began developing a fix.

I wonder if it really was the same bug or what they did wrong to reproduce it. Or maybe they just made some mistake in reproducing it.


Agreed. If the first bug was

> I did something weird after putting in a new PIN, and I was able to access my home screen without my password, but I'm not sure of the exact steps I did

then that's not really a duplicate. If the original bug report doesn't have enough information to recreate the steps, the second one is the only real bug report.


Yes. The first one is more like a user complaint than an actual reproducible bug report.


Then if that’s the case, the author should have been paid a full payout, not a “thanks for making us fix this” payment.


Just trying to rationalize, but if the "external researcher" was hired by Google to find security issues, google might have a requirement to fix the bug at its own pace.

I would personally be highly suspicious of a security flaw being a duplicate though. It's can be a very convenient excuse not to pay the bounty.


Reporting and investigation matters. Perhaps the initial report was only on the bypass of the lock-screen but the initial report only ran into the decrypted phone state so it was dismissed as not being exploitable (see other comments), whilst the second report actually got inside an active phone (And then was also written up in a simple, concise and reproducible way).


[flagged]


No personal attacks, please.

https://news.ycombinator.com/newsguidelines.html


They ended up rewarding him with $70,000 tho


    > "Due to this, they decided to make an exception"
Sounds like they weren't going to at first, though, because it appeared to be a duplicate, but this was the better bug report that prompted an action.

(To be fair: my hat's off to Google for even having one, and it's still shocking to me that AWS doesn't have one at all.)


AWS has a bug bounty it's just hosted by the fine black hat community instead of amazon


took me a moment to catch! nice!


yeah because he made a fuzz about it. Guess how many bugs are reported in and they just tell you it was already submitted and never talk to you again.


Yeah I agree with that one. They set up a call and he stood by his decision to disclose it on oct 15th. Then 3 days before the disclosure deadline they rewarded him.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: