A researcher earned a double-payment totaling $10,000 for a cross-site scripting (XSS) bug he found in Google Maps. He earned $5,000 initially. But when Google’s patch fell short, the researcher earned a second $5,000 for discovering the bypass to the fix.
Zohar Shachar, head of application security at Wix.com, reported the flaw to Google on April 23 and was issued a $5,000 reward soon after. Google publicly disclosed the issue, declaring it “fixed” on June 7. Minutes after Shachar was notified of the patch and bounty payment award, he said he found a bypass for the Google Maps fix. That eventually earned him another $5,000.
