Speaking of CVE for services

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Speaking of CVE for services

Kurt Seifried-2
So more and more large companies are officially recognizing service flaws, paying money for them, but we have no way to track it =(. 

https://security.googleblog.com/2018/08/expanding-our-vulnerability-reward.html

Since 2010, Google’s Vulnerability Reward Programs have awarded more than $12 million dollars to researchers and created a thriving Google-focused security community. For the past two years, some of these rewards were for bug reports that were not strictly security vulnerabilities, but techniques that allow third parties to successfully bypass our abuse, fraud, and spam systems.

Today, we are expanding our Vulnerability Reward Program to formally invite researchers to submit these reports.

This expansion is intended to reward research that helps us mitigate potential abuse methods. A few examples of potentially valid reports for this program could include bypassing our account recovery systems at scale, identifying services vulnerable to brute force attacks, circumventing restrictions on content use and sharing, or purchasing items from Google without paying. Valid reports tend to result in changes to the product’s code, as opposed to removal of individual pieces of content.

--
Kurt Seifried
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Speaking of CVE for services

Landfield, Kent

Was there a WG that was being co-sponsored with the CSA that was supposedly forming?

 

Thank you, Gracias, Grazie,  谢谢, Merci!, Спасибо!, Danke!ありがとうधन्यवाद!

-- 

Kent Landfield

+1.817.637.8026

[hidden email]

 

 

From: Kurt Seifried <[hidden email]>
Date: Friday, August 17, 2018 at 8:12 AM
To: cve-editorial-board-list <[hidden email]>
Subject: Speaking of CVE for services

 

CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.


So more and more large companies are officially recognizing service flaws, paying money for them, but we have no way to track it =(. 

 

https://security.googleblog.com/2018/08/expanding-our-vulnerability-reward.html

 

Since 2010, Google’s Vulnerability Reward Programs have awarded more than $12 million dollars to researchers and created a thriving Google-focused security community. For the past two years, some of these rewards were for bug reports that were not strictly security vulnerabilities, but techniques that allow third parties to successfully bypass our abuse, fraud, and spam systems.

Today, we are expanding our Vulnerability Reward Program to formally invite researchers to submit these reports.

This expansion is intended to reward research that helps us mitigate potential abuse methods. A few examples of potentially valid reports for this program could include bypassing our account recovery systems at scale, identifying services vulnerable to brute force attacks, circumventing restrictions on content use and sharing, or purchasing items from Google without paying. Valid reports tend to result in changes to the product’s code, as opposed to removal of individual pieces of content.

 

--

Kurt Seifried
[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Speaking of CVE for services

Kurt Seifried-2
Yes, I'm behind on a lot of stuff due to personal commitments with my kids over the summer. 

On Fri, Aug 17, 2018 at 9:28 AM, Landfield, Kent <[hidden email]> wrote:

Was there a WG that was being co-sponsored with the CSA that was supposedly forming?

 

Thank you, Gracias, Grazie,  谢谢, Merci!, Спасибо!, Danke!, ありがとうधन्यवाद!

-- 

Kent Landfield

+1.817.637.8026

[hidden email]

 

 

From: Kurt Seifried <[hidden email]>
Date: Friday, August 17, 2018 at 8:12 AM
To: cve-editorial-board-list <[hidden email]>
Subject: Speaking of CVE for services

 

CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.


So more and more large companies are officially recognizing service flaws, paying money for them, but we have no way to track it =(. 

 

https://security.googleblog.com/2018/08/expanding-our-vulnerability-reward.html

 

Since 2010, Google’s Vulnerability Reward Programs have awarded more than $12 million dollars to researchers and created a thriving Google-focused security community. For the past two years, some of these rewards were for bug reports that were not strictly security vulnerabilities, but techniques that allow third parties to successfully bypass our abuse, fraud, and spam systems.

Today, we are expanding our Vulnerability Reward Program to formally invite researchers to submit these reports.

This expansion is intended to reward research that helps us mitigate potential abuse methods. A few examples of potentially valid reports for this program could include bypassing our account recovery systems at scale, identifying services vulnerable to brute force attacks, circumventing restrictions on content use and sharing, or purchasing items from Google without paying. Valid reports tend to result in changes to the product’s code, as opposed to removal of individual pieces of content.

 

--

Kurt Seifried
[hidden email]




--
Kurt Seifried
[hidden email]