Google Hall of Fame is becoming very popular among security researchers and bug hunters nowadays. Curiosity is at an extreme level; a few of them are calling it ‘Google Hall of Shame’ without analyzing the problem or reason behind the mechanism. A few said ‘we didn't report anything nor did we find a valid security bug, but still our names are listed on the Google Hall of Fame’.People are confused. Messages are flooding my inbox and my social media accounts from students, friends and colleagues regarding the debate about Google Hall of Fame. Questions and more questions.Based on my analysis, I tried to explain that “it’s not a bug, it’s a current mechanism - although I'm not the Owner of Google VRP”.It seems like three groups with three different mindsets are combating with each other. Please Note: I'm not pointing fingers at anyone; I'm trying to explain groups with the same mindsets. Group A
= We worked really hard to get into the Google Hall of Fame. But, nowadays beginners (I won't use the word ‘Kid’ here, because we should respect each other) are getting into the Hall of Fame.Back of their Mind: Why and how it is possible? They're getting into the HoF with limited knowledge; there must be a problem with Google.Group B
= We're more curious and are looking for ideas. How can we get into the Google Hall of Fame?Group C
= We got into the Google Hall of Fame and, no matter how it happened, we don’t care.Well guys, that’s the whole reason behind this post.Please Note:
I'm not defending Google’s Hall of Fame mechanism. Right or wrong that’s the different story. I am trying to explain the mechanism behind the Google Hall of Fame with proof and references.
POC 1: Filled in the form with Invalid Details for Google Hall of FameLink this video: https://vimeo.com/173326890
As you can see, I've filled the form with invalid values at:https://www.google.com/appserve/security-bugs/m2/new?rl=&key
= After submission, you'll receive a confirmation email from Google, which looks like:Figure:
According to this email, “Google will investigate and get back to you……”Bingo! Your Hall of Fame is already there… – Check the Video POC again
Analysis: Based on above scenario, you will not get the second email from Google Security Team in which they“Triaged” your report ……. Just because you have submitted an Invalid Report.Still confused about your profile entry at Google’s Hall of Fame? I've created another proof of concept for your better understanding. POC 2: Will not report anything for Google Hall of FameLink this video: https://vimeo.com/173330745
As you can see, I logged in with New Gmail Account and only created a new Google VRP’s profile at:https://bughunter.withgoogle.com/new_profile
Finally I got Google Hall of Fame without reporting anything…..Bingo!
Analysis: Based on above scenario, you will not get any confirmation email from Google Security Team because you haven’t reported any bug yet. Conclusion:
It’s Google VRP’s current mechanism, meaning Google added your profile at the honorable mention’s page under the heading of Hall of Fame automatically at the time of creation, as I have proved with my second POC.Google’s Hall of Fame is sorted based on a combination of:
- Volume: More valid bug reports will lead to a better ranking. Spurious reports may lead to a lower rank.
- Severity: For those bugs, how severe are they? Better bugs lead to a better ranking.
Google VRP’s is based on a ranking system. Please understand “it’s a current mechanism of Google VRP”. References:Figure:
Please Note: The current Mechanism is right or wrong, better or worse, logical or illogical - that’s a separate discussion and seems to be out of scope for this post. Last but not the least, please understand this, at the time when you Report a Valid bug then you will get the following;
- Confirmation Email as mentioned in First POC.
- Your report has been “Triaged” like below:
- Email for rewarding a “Bounty” like below:
So please don’t victimize yourself. Post a valid bug and get the reward! Thanks !Ali Tabish