[collingreene]

I need more information if you want me to look into this issue.

We have paid out on such issues before but there is no hard rule. In general we err on paying out if there is any question. We have paid out before when a submission wasn't a bug at all but lead us to some part of the code that we ourselves then found a security bug in.

It is in our best interest to payout whenever possible. More payouts = more submissions = more security bugs found and fixed.

[chr13]

I think the report number is 173358208.

[collingreene]

Cool, found it. Will respond in the email thread.

[chr13]

Thanks for the reply, that clears things up.

[stevoo]

for you yes ... for us no ! Can we know why you got no reply and no reward !

[chr13]

This is the excerpt from the reply

"Sorry it took a while to respond. It took us longer than normal because we have had a few weeks of higher than average volume and this ticket was marked as fixed but we hadn't corresponded back to you yet."

"This was indeed fixed by a separate diff that had been committed but was not yet live when you submitted the issue. So in this case we didn't learn about a new issue but we did double-check some of our assumptions around this stuff."

And I got a reward of $500. Here is the POC http://www.youtube.com/watch?v=x5HXv7nPgYo