It's the type of bug that could have visited a world of hurt on a sizable number of people using Google Apps to manage business e-mail and calendars. A cross-site scripting (XSS) flaw in https://admin.google.com/ made it possible for attackers to force Google Apps admins to execute just about any request on that subdomain. Forced actions included creating new users with "super admin" rights, removing two-factor authentication and other security controls from existing accounts and modifying domain settings so e-mail is redirected to addresses controlled by the attacker.
But instead of causing disaster for businesses using Google Apps or generating headlines of an alarming new zero-day vulnerability, the bug was privately reported to Google on September 1 and fixed 17 days later. In exchange for the report, Google paid application security engineer Brett Buerhaus $5,000.
The speed and lack of fuss contrasts sharply with vulnerability travails that have recently visited Microsoft. Twice this month, the software company has been shamed when Project Zero, the vulnerability research team sponsored by Google, has publicly reported unfixed bugs that threaten the security of Windows users.