Re: [Full-disclosure] Google vulnerabilities with PoC

[Mario Vilas <mvilas@xxxxxxxxx>]

I believe Zalewski has explained very well why it isn't a vulnerability,
and you couldn't possibly be calling him hostile. :)


On Sat, Mar 15, 2014 at 11:20 AM, M Kirschbaum <pr0ix@xxxxxxxxxxx> wrote:

> I have been watching this thread for a while and I think some people are
> being hostile here.
>
> There is nothing to gain being on eithers side but for the sake of
> security. As a penetration tester, writer, and malware analyst with a long
> and rewarding career...it would be absurd to admit that this is not a
> vulnerability. If the content-type fields can be altered and the API
> accepts it that is undoubtedly a vulnerability, I believe that it shouldn't
> be there. It would be a shame to say that this is not a security problem.
> I have seen different responses on this thread but having seen the proof of
> concept images as well I just think that some of the people commenting here
> are just being hostile.
>
> It doesn't take much for somebody in the field, to see clearly that Google
> does not want to pay. And I bet any amount of money that the bug bounty
> program is a way for filing potential threats by name and bank details.
>
> Rgds,
> M. Kirschbaum
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/