No bounty was paid for this?

I can't say I'm surprised they didn't pay a bounty when they couldn't even own up to this on their own blog [1].

Instead they took it as an opportunity to market their new sandboxing on Google's blog [2] again with no mention of why their hand was forced into building the sandboxing they should have had before they rushed to onboard thousands of customers.

I have no idea what their plan was. They had to have known the researchers would eventually publish this. Perhaps they were hoping it wouldn't get the same amount of attention it would if they posted it on their own blog.

[1]: https://news.ycombinator.com/item?id=44954560

[2]: https://news.ycombinator.com/item?id=44954242

▲

mpeg 6 days ago | parent | prev [-]

First thing I looked for... this is an absolutely critical vulnerability that if exploited would have completely ruined their business. No bounty!?

▲

vntok 6 days ago | parent [-]

Why would they pay anything? The researchers offered them the vuln analysis for free, unprompted.

If anything, they got paid in exposure.

▲

cube00 6 days ago | parent | next [-]

Let's hope the grants keep coming in because those researchers will start getting offers from the darker corners of the web if bounties aren't paid.

	▲	vntok 2 days ago \| parent [-]
		It's their choice. If the researchers choose to accept and service criminal offers from darker corners of the web, they should be prosecuted as the criminals they have become.

▲

6 days ago | parent | prev [-]

[deleted]