Hi Daemon, thank you for reporting this vulnerability! I agree that we could prevent the abuse of YouTube API quota associated with this key if we restricted its allowed domains. That said, we have not enabled billing on that account, so I wouldn't qualify that vulnerability as a "high severity". Based on this explanation, would you agree to decrease the severity of this issue?

Hello @Adrien Joly , thanks for confirming the issue. I reported as 'high severity' considering billing as the context. However, abuse of the key can exceed daily quota resulting improper functionality of the application. And neither the maintainer nor the reporter has the option to redo the severity as of now. I reported the issue with the support team and do you consider this as a medium severity?

Thank you for the clarification. Medium severity seems fair!

Hello @Adrien Joly, reconsidering the severity, qualify and patch the issue. Thanks.

...and I just fixed it from Google API Console! 🎉

Can you confirm that the domain restriction is now active on your end?

I'd love to send the bounty over to you, but it seems that I need to select a commit from our github repo in order to do that... (if I understand this website well)

Yup the restriction is now active and the issue can be closed as patched.

Well @Adrien Joly, you don't need to send the bounty. Huntr.dev provides monetary value both to the Reporter ,once the issue is validated, and to a Fixer once it is patched. You may select yourself as a Fixer since you patched the issue. Thank you! 🙂