Google has said that it is not prepared to pay a bug bounty for a privacy flaw, despite needing to make a change in Calendar after it was reported.
In an email to IT Security Guru, Google said that it did not have any further comment to make on a recent blog after it initially reviewed the report made by Terence Eden. Eden said that the issue was formally disclosed to Google on 6th January 2014 and the response was deemed to have “minimal impact on the security of our users”.
Two days later, on 24th January, Google agreed to fix the bug saying that it agreed that the “behaviour you identified is undesirable, and we filed a bug with the Calendar team last week. They’ve been working on changing the behaviour to make it clearer that someone has been added to the event in the situation you described”.
In the blog, Eden revealed that if you use Google Calendar on the web, and put an email address in the subject line, that user will have the event added to the calendar and your details will be seen by the recipient. Also, any details you put in the entry will be seen by the recipient too.
Eden said: “Google has tried to be clever here. It has failed. Just because I am talking about someone, it doesn’t mean I am talking to someone.
“There are two main risks here – the user could expose her private Gmail account and associated Google+ data, and she could also reveal her private thoughts and feelings.”
Eden told IT Security Guru that, while there was no bounty, it was offered a place in the Google Hall of Fame. He said that, while he was not surprised by the lack of a payout, he was slightly disappointed by the general tone of the dismissal.
Bug bounty brokers Bugcrowd told IT Security Guru that not paying, but adding to the Hall of Fame, was odd. “If you change code because of a report, the change is security related and you run a bug bounty, you should pay it,” they said.