Well I finally made it onto the Google Security Hall of Fame. (Honourable Mention section of the page)
In fact my details got added while back, however I haven’t had the time to update the blog.
The issue that got me on there was a cross site scripting issue (Self XSS in this case) in the invite functionality of Google Chat.
Google Chat is used throughout differing Google sites and all them looked like they were vulnerable; However upon checking the cookie returned it would seem that the issue lay not in the translation site or IGoogle as first thought but with GoogleUserContent which is not a site eligible for a reward.
I’d like to thank Adam Mein from the Google Security Team for all of his help and patience in the two and throw of helping to confirm and then assist in getting the issue fixed.
As everyone seems to like pictures I’ll link to a couple of them here
As for the arguments for and against paying for bugs. I’ve still not changed my stance, I’m all for it although my reasons have changed.
So from my point and hopefully Google’s the program is a sucess due to the new relationships it creates between bug reporters and fixers.
Lastly here is a nice document from the Goggle security team talking about the success of the reward program.
The Test Manager