What vulnerability did Justin O'Leary report to Google?

O'Leary reported a privilege-escalation vulnerability in Google's Config Connector. Google initially accepted it as a high-priority, high-severity bug, but later declared the behavior 'working as intended' and declined to patch it or pay a bounty.

Why didn't Google pay the bug bounty?

After initially accepting the report and praising the researcher, Google changed its position and classified the behavior as intentional design rather than a security flaw, which disqualified the submission from receiving a bounty payment.

Is the Config Connector vulnerability fixed?

No. As of the time of reporting, the vulnerability remains unpatched. Google has not issued a public response, and it is unclear whether or when a fix will be released.

Google Praised Researcher's 'Nice Catch' Then Denied Bug Bounty — Flaw Still Unpatched

Security researcher Justin O'Leary reported a privilege-escalation vulnerability in Google's Config Connector, initially accepted as high-priority and high-severity. Google's representative even praised it as a 'Nice catch!' but later reversed course, declaring the behavior 'working as intended,' refusing to pay a bounty and leaving the flaw unpatched.

about 5 hours ago

飛行安全

企業合作

市場分析

法規政策

Highlights

Researcher Justin O'Leary discovered a privilege-escalation vulnerability in Google Config Connector and received initial high-priority, high-severity classification from Google.

A Google representative praised O'Leary with 'Nice catch!' before the company reversed its position and declared the behavior 'working as intended.'

Google refused to pay any bug bounty and has not released a patch for the reported Config Connector flaw.

Despite Google's official reversal, the bug report remains internally flagged as high-priority, contradicting the company's public stance.

The incident has intensified scrutiny of big tech Bug Bounty Programs and the risk researchers face when companies unilaterally change vulnerability acceptance criteria.

Google Praised Researcher's 'Nice Catch' Then Denied Bug Bounty — Flaw Still Unpatched

Security researcher Justin O'Leary has disclosed a puzzling experience involving Google's bug bounty program: after reporting a privilege-escalation vulnerability in Google's Config Connector, the company initially accepted the submission under a high-priority, high-severity classification — and a Google representative even praised him with the words "Nice catch!"

Google subsequently reversed its position, however, declaring that the behavior was "working as intended" and that no vulnerability existed. As a result, the company declined to issue any bounty payment and has not released a patch.

According to a report by technology outlet The Register, despite Google's official change of stance, the bug report remains internally flagged as high-priority within the company's systems — a detail that highlights a stark contradiction between Google's internal handling of the issue and its public-facing position.

The incident has reignited debate within the security research community about the fairness of big tech companies' Bug Bounty Programs. Researchers invest significant time and effort to responsibly disclose vulnerabilities, yet they risk receiving nothing if a company unilaterally redefines its acceptance criteria after the fact.

Google has not issued a public response to the matter, and it remains unclear whether the Config Connector privilege-escalation flaw will ever be addressed.

原文來源： 查看原文

Google Praised Researcher's 'Nice Catch' Then Denied Bug Bounty — Flaw Still Unpatched

Highlights

Google Praised Researcher's 'Nice Catch' Then Denied Bug Bounty — Flaw Still Unpatched

FAQ

Subscribe to our Low-Altitude Industry Newsletter

Ukraine's Depthon Systems Unveils SeaHive 5.0: An Offshore Mobile Drone Launch Platform

Ukraine's 'Sichen' Kamikaze Drone Spotted in Moscow Refinery Strike; At Least Six Observed

Red Cat Launches Hellcat Drone Targeting Global Defense and Security Markets