Hello everyone, today I will share how I’ve found bug in Google.
I mainly do WebApp & Cloud vulnerability research (more focused on cloud) And I’m not that much active in bug bounties.
So let’s begin, I went to a deepmind.google to read just article, And I noticed unexpected behavior while browsing this website & i just intercept only few URL endpoints which was giving me interesting behavior & i was playing around with the functionality by probing them. And unfortunately google only accept few BUG classes in their WebApps
NB: I only use burp professional for my pen testing and refrain from automation.
And while testing the functionality I suddenly found an error (XSS) on an endpoint & and subsequently reports to the team.
And finally got the email today: It has been triaged.
I got a zero day on their cloud application a few days ago & submitted from outside to the team. Because when you submit to their bug bounty program you are hunting by their rules. So if you get a zero day, never submit it to a bug bounty program. According to Project Zero rules which means giving vendors a reasonable amount of time (usually 90 days) to fix the identified vulnerabilities before making them public. So I can’t make it public right now. I will give a detailed post on that too. stay in touch!
Tip: Always look for interesting behaviors rather than testing every endpoints.