ADVERTISEMENT

Google thanks researcher for finding major flaw but doesn’t fix it and pays no reward

Researcher and cloud bug hunter Justin O’Leary says he found and reported a major flaw to Google but the tech giant, after initially praising the engineer, then changed course, told him there’s no vulnerability and that he wouldn’t be paid. The flaw is still active.

google-bug

Image by Cybernews.

Gintaras Radauskas
Gintaras Radauskas Senior Journalist
Jun 19, 2026 3 min read
Key takeaways:

Google reversed its earlier decision

Check if your data has been leaked

Find out if your email, phone number or related personal information might have fallen into the wrong hands.
18,611,353,922
Breached accounts
36,030
Breached websites
google-flaw-process
Image by Cybernews.
“The Cloud Vulnerability Reward Program panel has decided that the security impact of this issue does not meet the criteria to qualify for a reward,”
Google's message to O’Leary.
ADVERTISEMENT

Three months later, the bug’s still alive

  • Say “Nice catch!” and file a bug to fix it
  • Tell me to set up payment for my “potential reward”
  • Claim the behavior is “working as intended”
  • Say the product team might still fix it
  • Keep the case in “Accepted” status instead of closing it
  • Tell MITRE they “do not believe it is a vulnerability”
Jurgita Lapienyte justinasv Izabele Pukenaite vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Add us as your Preferred Source on Google.

ADVERTISEMENT