Hacker News new | past | comments | ask | show | jobs | submit | more anon223345's comments login

Update #2 - they actually responded to my bug bounty request. Seems they think it may be worth fixing but not a big enough deal to pay out a bounty to me. Obviously I’d like the bounty but if I got any recognition that would be awesome

—- Hi,

Thanks again for your report.

I've filed a bug with the responsible product team based on your report. The product team will evaluate your report and decide if a fix is required. We'll let you know if the issue was fixed.

Regarding our Vulnerability Reward Program: At first glance, it seems this issue is not severe enough to qualify for a reward. However, the VRP panel will take a closer look at the issue at their next meeting. We'll update you once we've come to a decision.

If you don't hear back from us in 2-3 weeks or have additional information, let us know!

Regards, Google Security Team


You have my respect!


I filed a bug bounty! If this is working as expected then so be it…

I didn’t even know this hit front page till you said something

I’m just gonna leave the other orgs alone and not doing anything in there until I can figure out a strategy to delete this google group (which I am actually using to manage my own accounts) my accounts are just hobby accounts more than anything, it’s crazy I logged in and found these full-blown business accounts lol

Just insane to me that I don’t have to confirm on my end that I should be the admin, or billing role lol, they can just one way add you…

I think they meant to add their service account and instead added my google group, the URLs are kind of similar


That’s awesome lol


I’ll try that I suppose, it sounds like I’m going to have to delete that google group which is going to be a pain because I actually use it…

I did file a bug bounty hopefully that goes somewhere


UPDATE: I have just submitted a bug bounty request

That would really help my career and life if I get that!

I won’t do anything with the accounts I accidentally have access to


I’m just going to delete the group


Bad idea. You're a good person, the next person to create the group name (which you've helpfully published here) may not be.


Thank you will try that…


What it’s doing is actually useful, using a group to easily add people to roles is great

Not making the group do confirmation, or even acknowledging the addition is super stupid


Good call, the problem is I use the group for my own projects…

I will painstakingly change that to not use groups and then delete the group if it lets me

It’s just kinda stupid people are allowed to just add my group with my group not even confirming


Yes exactly, it’s a group with just a generic name I made many years ago…


Consider applying for YC's Summer 2025 batch! Applications are open till May 13

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: