What makes you say this is a serious flaw? It seems pretty minor to me. The page would have to be embedded (so the URL would be obviously wrong) and it requires several steps of manual user action with an uncommonly used feature (the feedback form) just to exfiltrate a tiny amount of data (the iframe viewport)
Right, but the potential surface area - basically all docs including private ones - is absolutely huge. Preventing this from happening even once it's worth more than 100k IMO.
It also requires that the user know the document ID- so they would have to identify a document that they want access to, get the ID of that document, embed the document in a website that they can present to a user that DOES have access to that document (which they would be unable to know from the document itself, because the ACLs are only visible to people with view access), and then get them to click submit feedback.
I'll defer to others with more familiarity with bug bounties about the payout appropriateness, not my area of expertise, but it does seem like this would be a very difficult bug to exploit
Right, but you'd somehow need to not only get your hands on the URL of a private doc but then inexplicably convince them to use the "send feedback" feature on that same private doc. This is a neat bug, don't get me wrong, but I don't think this is even something most would consider exploitable. IMO this is equally exploitable as telling the victim to hit the button labeled "PrntScr" on their keyboard and then hit Control-V/
I don't really know but maybe if you insert URL of <Clone Document> so the user clone some well-crafted Document, this document may access some other documents and a screenshot may leak them.
It only a possibility but usually once you have the XSS puzzle piece, getting the data may be as trivial as some JS code
Do you seriously expect them to pay $100k for a decently serious bug in only one of their products?
In comparison, Apple paid 100k [0] for a full account takeover, using an bug so simple that it is unbelievable that it could have passed a code review and testing.
Perhaps it shouldn't be Google paying for the security reports, but the government... who then would need the statutory authority to fine Google for a very handsome profit?
this one technically requires some user interaction
Anyway, in the past I found a way to takeover an organization account in Google cloud acquisition and they rewarded me $100, saying their "Panel" decided that, Google's VRP panel sucks, so you're right about that.
I would stop sending these in and keep them for myself. I may trade them or sell them or write about but I wouldn't give them to google in the hopes of a payment.
I am sorry but that can ruin your career as its illegal. You can't sell or, trade vulnerabilities on live websites like Google as per the terms and conditions of the Google VRP (Responsible Disclosure policy) while it may seem unfair, its illegal to do so.
It’s not illegal, criminally, to break terms and conditions. At least in the US.
You may have some impact on your career and be judged by your peers or perhaps brought to civil court for damages, but if done right it’s totally legal to sell exploits.
The 1337 could be a nod to gamer culture because it stands for “leet” and may be popular with the folks who participate in bug bounties. Pure speculation on my part here.
EDIT: yep, looks like I missed all the other comments pointing this out, mobile app didn’t load them for some reason. Leaving the comment anyway.
Just to expand on this a bit, 31337 goes waay back. Before 'gamer culture' was a thing, and was popular enough to where it got mentions in the 1995 movie Hackers.
I vividly remember BBS and IRC handles with variations of 31337 in them in the 80s. I'm sure it goes back even farther.
