[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Speaking of CVE for services

Yes, I'm behind on a lot of stuff due to personal commitments with my kids over the summer. 

On Fri, Aug 17, 2018 at 9:28 AM, Landfield, Kent <Kent_Landfield@mcafee.com> wrote:

Was there a WG that was being co-sponsored with the CSA that was supposedly forming?


Thank you, Gracias, Grazie,  谢谢, Merci!, Спасибо!, Danke!, ありがとうधन्यवाद!


Kent Landfield





From: Kurt Seifried <kurt@seifried.org>
Date: Friday, August 17, 2018 at 8:12 AM
To: cve-editorial-board-list <cve-editorial-board-list@mitre.org>
Subject: Speaking of CVE for services


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

So more and more large companies are officially recognizing service flaws, paying money for them, but we have no way to track it =(. 




Since 2010, Google’s Vulnerability Reward Programs have awarded more than $12 million dollars to researchers and created a thriving Google-focused security community. For the past two years, some of these rewards were for bug reports that were not strictly security vulnerabilities, but techniques that allow third parties to successfully bypass our abuse, fraud, and spam systems.

Today, we are expanding our Vulnerability Reward Program to formally invite researchers to submit these reports.

This expansion is intended to reward research that helps us mitigate potential abuse methods. A few examples of potentially valid reports for this program could include bypassing our account recovery systems at scale, identifying services vulnerable to brute force attacks, circumventing restrictions on content use and sharing, or purchasing items from Google without paying. Valid reports tend to result in changes to the product’s code, as opposed to removal of individual pieces of content.



Kurt Seifried

Kurt Seifried

Page Last Updated or Reviewed: August 17, 2018