Remix.run Logo
thamzhack an hour ago

I've reported bugs to google VRP and got paid. The main problem with this report is that the victim has to click a suspicious link which is similar to phishing through email. No bounty programs award bounty for phishing.

This is not to say this isn't a bug. The author has to find a way to escalate the impact. If they are able to achieve the same impact without user interaction the impact will be high enough for bounty.