Great job, Nils. I didn't know Google doubles the reward if it goes to charity.
I wonder why Microsoft doesn't have a similar program. Hotmail just got hacked pretty bad[1], and the hackers were selling the vulnerability for chump change in forums[2]. What if they had an incentive to report it to Microsoft instead?
There are some rumours that other big players will start a bug bounty program soon. So I won't be surprised if Microsoft will pay for vulnerabilities too.
A slight tangent, but I'm curious, can Google claim the donation is from Google for tax purposes even though it's under the instruction of Nils instead of him receiving cash? If so, is that why they offer to double it?
Taxes had nothing to do with it. Early on, one of the Chrome VRP reporters asked that we donate his bounty to the International Red Cross. We all felt his generosity deserved some extra recognition, so we decided to top off the reward, and do the same in the future for approved charities. We also decided that unclaimed rewards would be paid to the International Red Cross.
That's pretty much the whole story. It was a quick email thread between a few people in Chrome Security and Google Security.
Google makes the donation, so yes they get the tax benefits. However, as it still means twice as much money going to charity I don't know why anyone would have a problem with that.
There's some cultural ... thing ... that makes it seem bad to donate to charity if you have some other motive, like ego or a tax deduction. I don't really understand why, but a lot of people feel that way.
Google can take a deduction for the full amount, whether it's a charitable donation (in which case they can deduct it as a charitable donation) or a payment (in which case it reduces the profit of the enterprise, on which tax is calculated).
Can someone clarify the whole charity tax deduction thing?
Unless tax is at >100% (or 50%?), surely there's no gain from doubling donations to benefit from tax deduction? Or am I not understanding something here?
I'm always curious as to why such an obvious bug couldn't be detected automatically. Some piece of code is printing a user name without sanitizing it. Fixing that particular bug is easy, but the real challenge is that the existence of the bug proves that your verification methodology has holes.
That is a good question, but I guess the answer is that XSS bugs are particularly hard to catch. Static code analysis can't know if a particular field you use in your templates (or wherever it is that your html gets rendered) is user supplied or not. You can try to catch it using manual code reviews, explicitly marking code that should not be escaped, etc., but it's easy to loose track of it. You also try and have a number of users with names like this in your testing environment, but is not fail-save either.
You could also do clever things with type systems in a language with sufficiently complex type checking, but nobody seems to do that either.
Unfortunately our industry rewards getting stuff done, and not getting stuff done right. (PHP being an extreme example.) So this state of affairs is likely to remain.
This is so awesome. White hat security not only to make the internet more secure, but to make the world a better place. Hats off to you man, this is really fantastic.
I wonder what are implications of having XSS on .google.com these days? All auth cookies are likely to be http-only, so probably not a serious vulnerability?
I wonder why Microsoft doesn't have a similar program. Hotmail just got hacked pretty bad[1], and the hackers were selling the vulnerability for chump change in forums[2]. What if they had an incentive to report it to Microsoft instead?
[1] http://www.vulnerability-lab.com/get_content.php?id=529
[2] http://www.whitec0de.com/new-hotmail-exploit-can-get-any-hot...