cube00 6 days ago

I can't say I'm surprised they didn't pay a bounty when they couldn't even own up to this on their own blog [1].

Instead they took it as an opportunity to market their new sandboxing on Google's blog [2] again with no mention of why their hand was forced into building the sandboxing they should have had before they rushed to onboard thousands of customers.

I have no idea what their plan was. They had to have known the researchers would eventually publish this. Perhaps they were hoping it wouldn't get the same amount of attention it would if they posted it on their own blog.

[1]: https://news.ycombinator.com/item?id=44954560

[2]: https://news.ycombinator.com/item?id=44954242

Reply View 0 replies
mpeg 6 days ago

First thing I looked for... this is an absolutely critical vulnerability that if exploited would have completely ruined their business. No bounty!?

Reply View 4 replies
  • vntok 6 days ago

    Why would they pay anything? The researchers offered them the vuln analysis for free, unprompted.

    If anything, they got paid in exposure.

    Reply View 3 replies
    • cube00 6 days ago

      Let's hope the grants keep coming in because those researchers will start getting offers from the darker corners of the web if bounties aren't paid.

      Reply View 1 reply
      • vntok 3 days ago

        It's their choice. If the researchers choose to accept and service criminal offers from darker corners of the web, they should be prosecuted as the criminals they have become.

        Reply View 0 replies
    • [removed] 6 days ago
      [deleted]
      Reply View 0 replies