No bounty was paid for this?

cube00 · 2025-08-19T18:30:29 1755628229

I can't say I'm surprised they didn't pay a bounty when they couldn't even own up to this on their own blog [1].

Instead they took it as an opportunity to market their new sandboxing on Google's blog [2] again with no mention of why their hand was forced into building the sandboxing they should have had before they rushed to onboard thousands of customers.

I have no idea what their plan was. They had to have known the researchers would eventually publish this. Perhaps they were hoping it wouldn't get the same amount of attention it would if they posted it on their own blog.

[1]: https://news.ycombinator.com/item?id=44954560

[2]: https://news.ycombinator.com/item?id=44954242

mpeg · 2025-08-19T18:14:52 1755627292

First thing I looked for... this is an absolutely critical vulnerability that if exploited would have completely ruined their business. No bounty!?

vntok · 2025-08-19T18:24:08 1755627848

Why would they pay anything? The researchers offered them the vuln analysis for free, unprompted.

If anything, they got paid in exposure.

cube00 · 2025-08-19T18:32:19 1755628339

Let's hope the grants keep coming in because those researchers will start getting offers from the darker corners of the web if bounties aren't paid.

vntok · 2025-08-23T03:51:34 1755921094

It's their choice. If the researchers choose to accept and service criminal offers from darker corners of the web, they should be prosecuted as the criminals they have become.