XSRF or clickjacking with no practical use to attackers

When evaluating reports of Cross Site Request Forgery or clickjacking vulnerabilities, we always try to understand the impact they may have when actually exploited. If a successful attack does not change the state of your Google account in any way, or if the change is very inconsequential, the report may not qualify for a reward. Cross Site Request Forgery for actions that do not require authentication or must be made with other unpredictable values (e.g., passwords, secret invitation codes, etc) are often deemed to be non-issues, too.

As with many other types of security issues, it is always helpful to think how such a problem could be used in an attack and what would be gained by leveraging it. If you are unsure, we may have a hard time evaluating the report :-)

In the end, reports of XSRF or clickjacking issues that carry no value for potential attackers will not qualify for a reward or credit.