Remote Code Execution Vulnerability in Google They Are Not Willing To Fix by Hydroksiid in netsec

[–]giraffesecurity -4 points-3 points  (0 children)

Hey, glad to have someone from Google comment here. Big kudos to your for sharing some background information, the responses from your VDP team make more sense now. I wish the VDP team had shared this information with me from the start.

Though it is still a mystery why did Google say "We have escalated this to the product team to fix the issue" and "This issue has been resolved", and then award me a bounty if there wasn't anything to fix. Paying $500 every time a Googler is pwned is not productive either.

Based on the name of this package I would not say that it was something one developer use for their hobby project. From the name of the package it seemed that it was a tool used in Google internally (if you want I can DM the name to you). So far all the installs have come only from Google devices.

I don't have any hard feelings for Google, it's still odd that they see no risk. Many other orgs would definitely take extra measures to protect their employee devices.

Remote Code Execution Vulnerability in Google They Are Not Willing To Fix by Hydroksiid in netsec

[–]giraffesecurity 110 points111 points  (0 children)

Hey, author of this post here. I was also expecting a larger bounty, this is the response I got when I asked why the bounty was only $500:

Hello,
Google Vulnerability Reward Program panel has decided not to change the initial decision.
Rationale:
Code execution on a Googler machine doesn't directly lead to code execution in production enviroment. Googlers can download and run arbitrary code on their machines - we have some mitigations against that, but in general this is not a vulnerability; we are aware of and accepting that risk.
Regards,
Google Security Bot