Bug Bounty programs can play unfair with hackers

A Google persistent XSS vulnerability for phishing was reported by hackers to Google in September 2012. While hoping to receive a reward for their efforts, they were turned down with: “Someone else already reported this. You are not eligible for Bounty.” A Bulgarian hacker named “Keeper” reports that the vulnerability is still working even after multiple submissions to Google. http://alrt.co/S6tlWA

Takeaway: Even companies such as Google have failed to identify and take seriously a proof of concept exploit in their “sand box” environment that is applicable to their production applications. This leads to the hacker’s public disclosure of a exploit that is not yet patched after two months.