A security researcher discovered a vulnerability in a Google product, received praise from the company, but was denied a bug bounty payment after Google classified the flaw as ‘working as intended.’ The issue reportedly remains unpatched, raising concerns about how Google handles responsible disclosure and researcher compensation. This case highlights ongoing tension between bug bounty programmes and vendors’ willingness to acknowledge and remediate reported flaws.

Security Architect’s Take: Do not assume a vendor’s bug bounty acknowledgement equates to remediation — independently track reported vulnerabilities in your GCP or Google Workspace environments and apply compensating controls until a fix is confirmed. Review your third-party risk processes to account for unpatched vendor-classified ‘by design’ flaws.

Original advisory: Google told researcher ‘Nice catch!’ Then denied bug bounty for flaw it still hasn’t fixed