关键逻辑绕过“预期行为”完全系统访问
你好,
我是一名开发者和安全研究员。我在此披露了Google漏洞奖励计划(VRP)中的一个重大逻辑绕过问题。
努力与逻辑:
我想强调,研究人员需要付出多大的努力和详细的信息,才能让像Google这样的公司对报告进行“分类处理”。在提供了大量数据和技术证明后,该报告成功进入了分类阶段。
行动:
然而,在经过“三次/技术支持”(3x/TS)处理后,技术支持报告被突然关闭,且没有任何合理的解释,直接被视为“预期行为”。紧接着,我的终端访问权限被锁定。
我对社区的呼吁:
作为开发者社区的一员,我请求大家对此进行评判:一家大型公司在接受报告并确认其有效性后,是否合理或公正地在没有有效理由的情况下关闭报告并锁定研究人员的访问权限?
我发布此信息是出于教育目的,并希望让专家社区验证这个逻辑绕过问题。我已将所有内容记录在案,包括分类处理、关闭报告和终端锁定,相关信息可以在我的GitHub上找到:https://github.com/shibu1r2i3n4ibiswas-eng/google-security-bypass?tab=readme-ov-file#google-security-bypass-evidence
查看原文
Hello,
I am a developer and security researcher. I am disclosing a significant logic bypass within the Google VRP (Vulnerability Reward Program).
The Effort & The Logic:
I want to emphasize how much effort and detailed information it takes for a researcher to get a report "Triaged" by a company like Google. After providing extensive data and technical proofs, the report was successfully moved to the triage stage.
The Action:
However, after "3x/TS" processing, the TS report was abruptly closed without any logical explanation and dismissed as "Intended Behavior." Immediately after this, my terminal access was locked.
My Appeal to the Community:
As a developer community, I ask you to judge this: Is it logical or fair for a major company to accept a report into triage (acknowledging its validity), only to close it without valid reasoning and lock the researcher out?
I am releasing this for educational purposes and to let the expert community verify the logic bypass. I have documented everything—the triage, the closure, and the terminal lock—on my GitHub here:https://github.com/shibu1r2i3n4ibiswas-eng/google-security-bypass?tab=readme-ov-file#google-security-bypass-evidence