Google Hall Of Fame – Bug OR Mechanism

July 12, 2016 | Views: 14663

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Google Hall of Fame is becoming very popular among security researchers and bug hunters nowadays. Curiosity is at an extreme level; a few of them are calling it ‘Google Hall of Shame’ without analyzing the problem or reason behind the mechanism. A few said ‘we didn’t report anything nor did we find a valid security bug, but still our names are listed on the Google Hall of Fame’.

People are confused. Messages are flooding my inbox and my social media accounts from students, friends and colleagues regarding the debate about Google Hall of Fame. Questions and more questions.

Based on my analysis, I tried to explain that “it’s not a bug, it’s a current mechanism – although I’m not the Owner of Google VRP”.

It seems like three groups with three different mindsets are combating with each other. Please Note: I’m not pointing fingers at anyone; I’m trying to explain groups with the same mindsets.

 

Group A = We worked really hard to get into the Google Hall of Fame. But, nowadays beginners (I won’t use the word ‘Kid’ here, because we should respect each other) are getting into the Hall of Fame.

Back of their Mind: Why and how it is possible? They’re getting into the HoF with limited knowledge; there must be a problem with Google.

Group B = We’re more curious and are looking for ideas. How can we get into the Google Hall of Fame?

Group C = We got into the Google Hall of Fame and, no matter how it happened, we don’t care.

Well guys, that’s the whole reason behind this post.

Please Note: I’m not defending Google’s Hall of Fame mechanism. Right or wrong that’s the different story. I am trying to explain the mechanism behind the Google Hall of Fame with proof and references.


Let’s start!

POC 1: Filled in the form with Invalid Details for Google Hall of Fame

Link this video: https://vimeo.com/173326890

As you can see, I’ve filled the form with invalid values at:

https://www.google.com/appserve/security-bugs/m2/new?rl=&key=

 

After submission, you’ll receive a confirmation email from Google, which looks like:

Figure:

confirmation-email

According to this email, “Google will investigate and get back to you……”

Bingo! Your Hall of Fame is already there… – Check the Video POC again

Analysis: Based on above scenario, you will not get the second email from Google Security Team in which they“Triaged” your report ……. Just because you have submitted an Invalid Report.

Still confused about your profile entry at Google’s Hall of Fame? I’ve created another proof of concept for your better understanding.

 

POC 2: Will not report anything for Google Hall of Fame

Link this video: https://vimeo.com/173330745

As you can see, I logged in with New Gmail Account and only created a new Google VRP’s profile at:

https://bughunter.withgoogle.com/new_profile

Finally I got Google Hall of Fame without reporting anything…..

Bingo!

Analysis: Based on above scenario, you will not get any confirmation email from Google Security Team because you haven’t reported any bug yet.

 

Conclusion:

It’s Google VRP’s current mechanism, meaning Google added your profile at the honorable mention’s page under the heading of Hall of Fame automatically at the time of creation, as I have proved with my second POC.

Google’s Hall of Fame is sorted based on a combination of:

  • Volume: More valid bug reports will lead to a better ranking. Spurious reports may lead to a lower rank.
  • Severity: For those bugs, how severe are they? Better bugs lead to a better ranking.

Google VRP’s is based on a ranking system. Please understand “it’s a current mechanism of Google VRP”.

 

References:

Figure:

reveal-03

Please Note: The current Mechanism is right or wrong, better or worse, logical or illogical – that’s a separate discussion and seems to be out of scope for this post.

 

Last but not the least, please understand this, at the time when you Report a Valid bug then you will get the following;

  1. Confirmation Email as mentioned in First POC.
  2. Your report has been “Triaged” like below:

Figure:

02

 

  1. Email for rewarding a “Bounty” like below:

Figure:

a-06-1

 

So please don’t victimize yourself. Post a valid bug and get the reward!:)

Thanks !

Ali Tabish

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
10 Comments
  1. This is fake bounty. Google isn’t paying bounty for this bug and Rahul Singh (https://www.facebook.com/rahulcracker) is the only one who reported this bug and got Hall of Fame. Take down this article or the part mentioning screenshot of fake bounty.

    • Sorry, my bad I thought this bounty PoC is for the google fake hall of fame (which you mentioned as an example) bug as Rahul Singh reported this as a bug and rewarded HoF but not bounty. You can delete this comment if you want. Nice website anyway. Keep up the good work 🙂

      Thanks.

  2. ha ha ha ha ha yes all are kidsand you are only leet 🙂 well nice poc leet but only one problem here you what not that right person who got HOF and reward of this Bug 😛 hope you got my point 😉 otherwise you never hide the deatils 😛

    • Kid , There is a problem at your comment. I think You have not read the Apology Comment of your friend. Let me share here :

      daichitrojan
      5:24 am on July 25, 2016
      Sorry, my bad I thought this bounty PoC is for the google fake hall of fame (which you mentioned as an example) bug as Rahul Singh reported this as a bug and rewarded HoF but not bounty. You can delete this comment if you want. Nice website anyway. Keep up the good work ?
      Thanks.

      Bounty screenshot related to Valid Bug report Kid. Reason for posting this screenshot here in this write up is to clear the concept of readers regarding the Google Hall of Fame Bug / Mechanism.

      Request To Admin: Please Increase the maturity level of this website, that will help the authors / contributors to entertain the genuine request rather than this kind Script Kiddies.

      Regards,

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel