The only permission the extension needed was “downloads, which normally only allows an extension to download and search for user files, not read or write to them”
That’s not an unusual permission for an attractive but safe sounding extension, for example an extension to download all images from a page
$100k at least?
The value of this to bad guys could be up to millions
Well the author decided to sell the bug to Google rather than to criminals so I guess it was deemed a good value. By selling it to Google you get to write a nice blog post you can show to future employers and you don't have to involve yourself in crime. So the payout needed is a lot less than what hackers might be offering.
curiousObject|9 months ago
The only permission the extension needed was “downloads, which normally only allows an extension to download and search for user files, not read or write to them”
That’s not an unusual permission for an attractive but safe sounding extension, for example an extension to download all images from a page
$100k at least?
The value of this to bad guys could be up to millions
SchemaLoad|9 months ago
DaSHacka|9 months ago
Like, does a 6th or 7th blog post really matter, versus getting a large payout?
No rule that says you can't do both, or only disclose+publish the more 'impressive' of your exploits.