[HN Gopher] The Chrome VRP Panel has decided to award $250k for ...
___________________________________________________________________
The Chrome VRP Panel has decided to award $250k for this report
Author : alexcos
Score : 475 points
Date : 2025-08-11 05:56 UTC (17 hours ago)
(HTM) web link (issues.chromium.org)
(TXT) w3m dump (issues.chromium.org)
| krtkush wrote:
| How does one start acquiring skills like these?
| mdaniel wrote:
| Practice, and having supernatural perseverance (although
| probably not in that order)
|
| I'd guess the curriculum is half reverse engineering and half
| reading any write-ups to see the attacks and areas of attack
| for inspiration
| anthonj wrote:
| I get the feeling these kind of skills are very rare because
| they fall in the category "understanding and debugging other
| people code/mess", while most people prefer to build new things
| (and often struggle to debug their own work).
|
| It takes a lot a passion and dedication to security and reverse
| engineering to get there.
| WalterBright wrote:
| Spending a lot of time debugging code. Eventually, the pattern
| recognizer in your brain will pick out the bugs. The term for
| this is "code smell".
|
| For example, when I'd review C code I'd look at the str???()
| function use. They are nearly always infested with bugs,
| usually either neglecting to add a terminator zero or
| neglecting to add sufficient storage for the terminating zero.
| jve wrote:
| It is crazy that anytime someone works on application layer
| and wants to manipulate string, which is a very, very common
| thing to do when writing application, one has to consider \0
| which would be an implementation detail.
|
| How can that language still be so popular?
| avar wrote:
| Because whatever language you think should be popular
| instead is running on a mountain of C code, but the reverse
| isn't true.
| WalterBright wrote:
| The D implementation and runtime library has zero C code
| in it.
| avar wrote:
| And when you run that compiler implementation, what
| language family was used to implement the OS and kernel
| it's running on, the firmware you're using etc?
|
| That's what I meant, not that self hosted compliers don't
| exist.
| AlienRobot wrote:
| Okay, I want to make a desktop app that runs on Linux.
| Which language should I use? Java?
| rkomorn wrote:
| Some current trendy options would be Kotlin (with Kotlin
| Multiplatform) or C# (with Avalonia UI).
|
| Edit: I guess I should've at least asked myself if the
| question was rhetorical.
| uecker wrote:
| Whatever you do, please do not use a language that makes
| it difficult to provide security updates:
| https://www.debian.org/releases/trixie/release-
| notes/issues....
| AlienRobot wrote:
| My problem with "crossplatform" GUIs that run on Linux is
| that they aren't made to run on Linux desktop, they are
| made to run on Android, iOS, Windows, macOS, and finally
| Linux desktop.
|
| All I want is a menubar, a toolbar, a statusbar, and some
| dialog windows. I don't want fading transitions when I
| click a tab.
|
| It's crazy that I'm forced to write header files just to
| have a menubar.
|
| Zig 1.0 can't come soon enough.
| rkomorn wrote:
| Wouldn't Qt or GTK be good for this, then?
|
| Or... https://quickshell.org/ ?
| jve wrote:
| That questions is kind of the point I want to make. We
| live in 2025 and C is still an option for new
| applications, i.e wrong abstraction layer for application
| level development.
|
| No doubt there are valid reasons to use it, that is just
| the state of things they are unfortunately.
| uecker wrote:
| The language is just fine. The real question is: Why do
| people not use a string library that abstracts this away
| safely?
| saagarjha wrote:
| Why does the language not make one?
| tonyhart7 wrote:
| because at that time, C creator didn't know thing would
| evolve into the future. after all computer is a new thing
| saagarjha wrote:
| Ok, but the question asks why one isn't made today.
| uecker wrote:
| There are many string libraries.
| saagarjha wrote:
| As you can expect, the answer to your question is the
| obvious one.
| uecker wrote:
| I do not think it is obvious or trivial question. I think
| the problem is mostly that there is no money for
| enhancing the C ecosystem and educating people about
| possibilities. The cooperate money goes into random new
| things.
| WalterBright wrote:
| Oh, people tried. Every C programmer tried it. I tried
| multiple times. They all failed.
|
| Back when I was musing about what D would be like, I
| happened across some BASIC code. I was drawn to the use
| of strings, which were so simple in BASIC. I decided that
| D would be a failure if strings weren't as easy to use as
| in BASIC.
|
| And D strings turned out to be better than I'd dared
| hope!
|
| I proposed an enhancement to C to get much of that
| benefit, but it received zero traction in the C
| community. Oh well.
|
| https://www.digitalmars.com/articles/C-biggest-
| mistake.html
| eska wrote:
| Lots of C applications nowadays don't actually use any of
| the str functions or null termination.
| saagarjha wrote:
| Programming is the consideration of implementation details.
| When you manipulate strings in C you consider the
| terminating nul byte just like when you manipulate strings
| in Python you consider how its stores codepoints or when
| you manipulate strings in Swift you think about grapheme
| clusters. There is no free lunch. (Though, of course, you
| can get reduced price lunches based on the choices you
| make!)
| WalterBright wrote:
| C was popular because, if one is familiar with assembler,
| it takes about an hour to become adept at programming in
| it.
|
| It's also an easy language to write a compiler for. At one
| point I counted over 30 C compilers available for DOS.
| Hilift wrote:
| Read the blogs of the guys creating the bugs.
| saagarjha wrote:
| https://pwn.college/
| tptacek wrote:
| By reading and keeping up with the published work in browser
| exploit development, replicating it yourself, and then finding
| you have a knack for spotting vulnerabilities in C++ code.
| ad-astra wrote:
| Impressive. Feel like finding issues like this in such a large
| project is like looking for a needle in a haystack
| georgemcbay wrote:
| Finding issues in large complex projects is generally easier
| than smaller projects. More code, more bugs. But its still
| difficult to find serious issues on the level of a sandbox
| escape in Chromium just because Google's long-running reward
| system means lots of people have spent lots of time looking
| into it, both manually and using automated fuzzer tools.
|
| Back in ye olden days of 2014 I randomly stumbled upon a Chrome
| issue (wasn't trying to find bugs, was just writing some
| JavaScript code and noticed a problem) and reported it to
| Google and they paid me $1,500. Not bad for like half an hour's
| work to report the issue.
|
| https://issues.chromium.org/issues/40078754
| ch33zer wrote:
| I feel like it's the opposite. In a huge project there's bound
| to be many weird interactions between components, and it's
| about picking the important/security relevant ones and finding
| edge cases. In this case the focus was on the interaction
| between the renderer process and the broker. That forms a
| security boundary so it makes sense to focus your efforts there
| - google will pay for such exploits since they can in theory,
| when combined with other exploits in the renderer process, lead
| directly to exploits that can be triggered just by opening a
| web page. So, yes, chrome is a huge project but the list of
| security-relevant locations to probe actually isn't actually
| all that long. That's not to diminish the researchers work, it
| still takes an insane amount of skill to find these issues.
| hnlmorg wrote:
| Finding a problem that deserves a bug bounty reward is a very
| different beast to just finding quirks.
|
| I read from one security researchers somewhere that
| professionals wouldn't find enough bug bounty worthy problems
| in high enough frequency to pay their bills. So they'll
| sometimes treat things like this more as a supplement to
| promote their CV rather than as a job itself.
| high_na_euv wrote:
| Kind of life changing money, good to see such rewards
| socalgal2 wrote:
| the first time I got a bonus that big, $240k, I thought it
| would be life changing. the gov took $100k in taxes. I paid off
| my car $20k. then when I really thought about it there wasn't
| much I could do.
|
| It was not a down payment on a house in LA/SF/NYC. it was not
| enough to start a company and hire people. If I'd changed my
| life style to be like a college student and live with roommates
| then it might have given me 2-3 years of student lifestyle but
| I was 34 and not prepared to go back to student lifestyle
|
| To be honest it was super disappointing. Of course getting a
| $240k bonus is a privilege. My only point was it didn't change
| my life like I thought it would.
|
| And, that was 25 years ago. today, even a million ($600k after
| taxes) in those 3 cities won't likely change your life. Maybe
| you could put a down payment on a house or pay for your kids
| college tho but it not the freedom I thought it would be
| gambiting wrote:
| Depends where you live. Where I'm from $240k would buy you a
| really nice house with lots of land, and you'd have money
| left over.
|
| >>won't likely change your life. Maybe you could put a down
| payment on a house or pay for your kids college tho but it
| not the freedom I thought it would be
|
| How is being able to put a down paymenent on a house or being
| able to send your kids to collage debt-free not life
| changing?
| sgjohnson wrote:
| > How is being able to put a down paymenent on a house or
| being able to send your kids to collage debt-free not life
| changing?
|
| Because neither of those are going to change your daily
| life that much? It simplifies a thing or two, but neither
| of those things are life-changing.
| gambiting wrote:
| I can only assume you'd say so if you were able to do
| either of those things in the first place, so yeah, it
| doesn't feel life changing. It's like winning a car in a
| radio lottery when you already had a car - yeah pretty
| cool, but not life changing.
|
| There's a _lot_ of people who can 't even imagine ever
| being able to put down a deposit on a house or to send
| their kids to collage debt-free. With an amount of money
| like that you can go from being trapped in a rent hell
| forever to actually purchasing your own house. Or you can
| give your kids the education you want to give them. They
| are major, life changing impacts. Again, to describe it
| as "simplifes a thing or two" to me implies that you
| could do them even without this money in which case yeah,
| it changes very little.
| bearl wrote:
| Property taxes are very high thanks to prop 13. 250k in
| California is like 30k in states like Texas or Illinois,
| enough to make it a great year but not life changing.
| __d wrote:
| Debt-free college is life-changing for your kid(s).
| jama211 wrote:
| Your only definition of life changing is changing your
| day to day life? That's an odd way of looking at it.
| Going from renting to a home owner is a BIG bucket list
| life changing item for most people
| msh wrote:
| I guess it perspective and where you are in life plus your
| location in the world, I would have to pay 50% tax on it so
| well a down payment could be it but I would still have to
| affort the house.
|
| I have a hard time seeing it as life changing for me,
| having a decent paying job (not silicon valley developer
| scale) in a expensive country. Ofc if I was having a low
| paying career without that many perspective my outlook
| might differ.
|
| I dont live a place where you pay for your kids being in
| college so I cant speak for that part.
| socalgal2 wrote:
| You live in Poland? Country or City? Google estimated a 60
| square meter 2br condo in Warsaw costs an average of $260k.
| So a $240k bonus, after paying taxes, leaves you with $145
| in Poland, so no, you could not likely get a condo in
| Warsaw with a $240k bonus. I'm sure if you live well
| outside a major city that changes.
|
| And, the bigger point is, even if you could afford a house,
| is that life changing? Would your life style change because
| you bought a house? Or, would it just basically be the same
| life style as before except you now own a house?
|
| To me, life changing amount of money means an amount that
| changes my life style. That could mean, an amount that lets
| me retire and never work again. Or an amount that lets me
| quit and start my own company. Or quit and go back to
| school. Or quit and travel for a few years. Something alone
| those lines, having my "life change". Buying an apartment
| but having my life remain the same, same job, same hours,
| same activities, is not "life changing" to me.
|
| I fully admit a $240k bonus ($140k after taxes) it could be
| life changing for others. If I'd been 19yrs old when my
| living expenses were $20k year, then $140k in the bank
| would have let me go ~7yrs without a job. Unfortunately my
| 19yr old self would have probably blown 30% on a car, 20%
| on travel or other things, 10-20% on random equipment like
| a new gaming rig or cameras and lens and then in a few
| months I'd be back where I was. And, even if I did manage
| to not blow it and do the 7 years, what else could I have
| done. Could I started a company and hired people? How many
| could I afford to hire and for how long? Would it be enough
| to not just lose the money or would have needed more than
| $140k?
| defraudbah wrote:
| why comments about taxes get gray here? is it bad behavior in
| US to discuss taxes?
| komali2 wrote:
| > it was not enough to start a company and hire people.
|
| It is in Taiwan, Vietnam, Indonesia, Cambodia...
| 1970-01-01 wrote:
| 225k in 2025 dollars is life changing for anyone in the
| middle class of income. The reason you were unable to do
| anything with it is because you were already earning too
| much.
| lostmsu wrote:
| Presumably people discovering these bugs are not in the
| middle class of income.
| socalgal2 wrote:
| $240k bonus was double my yearly salary.
|
| I think you probably know people who've gone though
| something like this via inheritance. A parent dies, leaves
| them $200-300k You don't see their life change at all. Of
| course most people don't inherit that much but enough do
| that you probably know some of them or your family knows
| some of them and yet nothing noticable changed in their
| life.
| jama211 wrote:
| For you maybe. For someone in debt or who has never ever had
| a financial safety net, the amount of stress relief from
| finally having a bit of safety money behind you is mental.
| sgjohnson wrote:
| Depends on where in the world you are. I wouldn't call $250k
| life-changing-money anywhere developed.
|
| It's "I can probably stop worrying about money for a while"
| kind of money, not "life-changing" money. Not a whole lot you
| can buy for $250k. After taxes, that probably doesn't even buy
| a house.
| robin_reala wrote:
| In Sweden, assuming that $125k of that disappears in taxes,
| it'd leave you with 1.2M SEK. There are currently ~650
| properties on Hemnet between 1M and 1.25M. I'd suggest maybe
| this one in Odeshog at 1.1M SEK?
| https://www.hemnet.se/bostad/villa-3rum-odeshog-odeshogs-
| kom... Not the biggest, but it's reasonably well done up,
| comes with 2/3rds of an acre of land, is near a main motorway
| to get to places, and near the shore of the biggest lake in
| the country. If you want to take a train then it's 30 minutes
| drive to the nearest station on the Stockholm-Copenhagen
| line.
| dijit wrote:
| Odeshog is like "Abandoned Pile", not inspiring.
|
| Still cool that you can get a _house_ so cheap in Sweden.
| robin_reala wrote:
| I mean, take your pick! Here's the listing page for all
| 1M-1.25M SEK houses: https://www.hemnet.se/bostader?price
| _max=1250000&price_min=1...
|
| This price level won't get you close to a major city, but
| being within a quick drive or a bus of a reasonably sized
| town should be doable. (And now I've just seen this slice
| of the late 60s, wow:
| https://www.hemnet.se/bostad/villa-5rum-centralt-
| hedemora-he...)
| handsclean wrote:
| Can somebody help me understand why these obviously very
| stupid takes keep popping up on HN? Is it rich people who
| genuinely have no idea what anything costs? Is it rich people
| intentionally being cruel to everybody else? Is it people
| trying to appear rich by pretending they have no idea what
| anything costs? Is it a bay area thing, are people just
| blowing through a literal fortune every year and unaware of
| their spending problems? Is it children whose ideas about
| money come from "influencers"?
| petcat wrote:
| > Is it rich people intentionally being cruel to everybody
| else?
|
| If you got a $240,000 bonus in the mid-2000s in tech, that
| very likely means you were living in one of the tech metros
| (SF, NYC) and you could expect nearly 50% of that to be
| paid in taxes (CA/Fed, NY/NYC/Fed). So you take home about
| $120,000.
|
| It's a windfall of money to be sure. But being in an
| employment situation where even such a bonus is possible
| likely means you already have significantly higher costs
| than the average person. Maybe you'll pay down some student
| loans and bolster your savings. But this is far from being
| "rich". High-earners also tend to have high costs of
| living.
| tonyhart7 wrote:
| this is just US people culture, its all about money and
| taxes they should worrying their budget when they have 1
| trillion to fund war machine
| jynelson wrote:
| tech salaries in the US are high enough that this is
| approximately 1-3 years of income as a lump sum. more than
| that, if you got this amount as a bonus you already have
| stupid money.
|
| of course $140k would be life changing for most people. but
| OP, and i suspect most of the other commenters, are not in
| that situation.
| socalgal2 wrote:
| For the simple reason that it didn't change my life. Before
| I received it I thought it would. After I received it, paid
| taxes , etc. My life didn't change at all.
|
| It's a fact that my life didn't change so it wasn't a life
| changing amount of money for me.
|
| Maybe it would be life changing for others. tho at least in
| sf/nyc/la I suspect it wouldn't for most people. If I had
| given it to my sister she'd have used it to pay down her
| mortgage. her life wouldn't change. she'd have still had a
| mortgage and her day to day life wouldn't have changed at
| all. My nephew could have used it to pay off his student
| loans. That would be great but again his daily life
| wouldn't have changed
| lesuorac wrote:
| What would you change in your life with that kind of
| windfall?
|
| Definitely not going to quit my job.
|
| Definitely not going to go back to school.
|
| Sure, I could spend it on a vacations over the next decade
| but I could already do that so not life changing.
|
| I like my car already.
|
| Maybe a renovation?
|
| At the end of the day, I'm already doing things I like to
| do so additional money mostly is just going to be saved
| which isn't life changing. It's nice but not life
| _changing_.
| msh wrote:
| Where I live (Denmark) even if it was tax free you would more
| or less be unable to purchase an one bedroom apartment in the
| capital for this amount.
| dmix wrote:
| Getting enough for a good down payment on a house is life
| changing for many people. You'll make it back not paying rent
| into a void.
| Foobar8568 wrote:
| I rather pay a rent than putting 250k on a down payment and
| still have to pay a rent amount for 15-25 years.
| mavhc wrote:
| But you're then left with owning something probably worth
| more than you paid in total
| lesuorac wrote:
| It's not.
|
| Buy-vs-rent is nearly always monetarily in favor of rent.
|
| 250k down payment is ~20% of 1.3 million which at ~6.5%
| comes out to you paying ~2.4 million. This doesn't
| include maintenance, insurance, or taxes.
|
| I have a bunch of calculators in this post
| (https://news.ycombinator.com/item?id=44794529) but that
| thread also has a lot of other people explaining the same
| thing.
| hu3 wrote:
| Exactly. Buy is more of a peace-of-mind than financial
| decision.
| MrGilbert wrote:
| "Decent." was the first word that came into my mind. After a
| second, I realized that 250,000 USD ist basically 0.00022 % of
| Alphabet's (Google's?) annual net income [0].
|
| A life changing amount of money for an individual, but nothing
| more than a small blip on Google's charts. Of course, I'm aware
| of "budgets" and "departments", and that one simply does not move
| funds between departments. And while my mind is on the verge of
| "maybe they should have paid more?", the numbers would mean that
| even 10x the sum would move the percentage by one decimal. It's
| wild how much money big corporations have.
|
| I highly applaud the researcher for their tremendous amount of
| skill and dedication.
|
| [0]
| https://www.reddit.com/r/google/comments/1lh0pl4/google_is_n...
| brabel wrote:
| How much Alphabet makes is almost irrelevant. The incentive
| here should be for security researchers. As long as there's
| enough incentive for security researchers to continue to report
| the bugs they find (which must be balanced against the
| potential payment a criminal could get if exploiting the bug,
| which is not directly correlated to the company's income
| either, at least not necessarily), the payment is appropriate.
| NitpickLawyer wrote:
| To be fair, goog has to pay comparable to other 3rd party
| brokers, and not necessarily "potential payment by exploiting
| the bug". Finding an exploit and being able to deploy it for
| financial gains are two distinct problems, with separate
| skillsets, risks, etc.
|
| Plus there are some other benefits of disclosing to goog.
| After you get into VRP you get access to grants & stuff and
| can basically ask to study a problem and get funded for that
| effort. Being able to blog about it, pad your experience, etc
| etc. All while not having to look over your shoulder for 3
| letter agencies your whole life :)
| sneak wrote:
| You think state intelligence agencies don't hack whitehats
| for their 0days?
|
| You know there's ongoing and plausible efforts by at least
| 3 organizations to conquer the Earth, right?
| MrGilbert wrote:
| > How much Alphabet makes is almost irrelevant.
|
| While I embrace the downvotes, I disagree. From my pov, the
| amount of money paid should factor in the anticipated risk
| for your business. If a privilege escalation means that
| Google takes a massive hit in Ad Revenue, than this should be
| factored in.
| ang_cire wrote:
| > the amount of money paid should factor in the anticipated
| risk for your business. If a privilege escalation means
| that Google takes a massive hit in Ad Revenue, than this
| should be factored in.
|
| Given this exploit, that would probably _lower_ the payout.
| There are absolutely tons more sandbox escapes in Chromium
| engine right now (here 's a fun list of previous ones, none
| of which cost them ad rev[1]), and they're not adversely
| affecting Google's ad revenue. No company is pulling ads
| because Chrome has a vuln.
|
| This wouldn't even be the kind of reputational hit that
| something like SolarWinds was.
|
| [1]: https://github.com/allpaca/chrome-sbx-db
| UncleMeat wrote:
| Why would it affect ad revenue?
|
| An exploit like this would be abused by somebody who sets
| up a malicious website to try to take control over
| somebody's device or otherwise steal secrets from them like
| keys for cryptocurrencies. These attacks tend to be
| targeted. Nobody is using an exploit like this to create an
| ad blocker or even to do ad fraud.
|
| The only risk to revenue here is reputational, and I think
| that it is likely that the existence of this bug would be
| less widely known if the bounty program didn't exist and
| the bug was sold on the black market.
| scarab92 wrote:
| These types of comparisons are illogical.
|
| There's little relationship between the net income of a company
| and what is an appropriate bug bounty, especially a company as
| diversified as alphabet.
| bapak wrote:
| What's your suggestion exactly? Making anyone who can find a
| bug a millionaire? That's ridiculous. 250k is already insanely
| high.
|
| You make a bunch money too, should you pay $100 for that taco?
| It's nothing to you.
| pydry wrote:
| Equal to the black market price.
|
| Anything less is an incitement to allow exploits to be used
| in the wild.
| bapak wrote:
| That's a different argument. Price it for its worth, not
| for my worth.
| MrGilbert wrote:
| > You make a bunch money too, should you pay $100 for that
| taco? It's nothing to you.
|
| Looking at my yearly net income, paying 100$ for a single
| taco in a year would mean that 0.26% of my net income would
| go into a taco. Paying 0.1$ for a single taco would make it
| 0.00026%. According to the consensus in this comment section,
| that would be pretty gracious. Yes, that's where I'm going
| with this.
|
| //Edit: Thanks at postflopclarity for pointing out my wrong
| math.
| postflopclarity wrote:
| so you make $5 million / year but you're still incredulous
| at
|
| > It's wild how much money big corporations have. ?
| MrGilbert wrote:
| I was wondering why my math wasn't mathing, but was too
| busy to earn money at the same time. Thanks for pointing
| it out, fixed! Now my statement makes way more sense.
| TheDong wrote:
| Yeah, assuming the people working at the taco shop aren't
| very well off the taco should cost $100 for a software
| engineer, $80M for Jeffrey Bezos, and $4 for someone down on
| their luck.
|
| If we wanted, we could make this more efficient by giving out
| free healthcare and housing to people, proportional to their
| need, and tax $95 from the software engineer, $80M from
| Bezos, and $0 from someone down on their luck.
|
| Progressive Tacos does sound better than Progressive
| taxation, and it would probably work better because rich
| people dodge taxes all the time, but come on, who doesn't
| want to eat tacos?
|
| We (software engineers) won't have proper empathy for the
| poor until we go into an apple store and the price tag on the
| iPhone is "20% of your net worth".
| bapak wrote:
| Right. So why work when everything is priced according to
| your worth? I'll stay in my $2 rent and free food delivery
| for life. Thank you.
| renewiltord wrote:
| Indeed, one of the great tragedies of life is that this
| happens. Humans cannot survive without water, yet the median
| water bill is $80, which is about 1% of the median household's
| income. People make so much money but refuse to pay for
| something that literally sustains their life. Join me in
| requiring that every household at least 10x the amount they pay
| for this precious water. To employees of water companies: Thank
| you for your service.
| lmz wrote:
| Have you also considered how much humans ought to be paying
| the trees for their Oxygen? I may look into buying some
| shares in those trees if they are available.
| MrGilbert wrote:
| It's fun to twist the rules and put "business life" and
| "human life" on the same level, innit?
| renewiltord wrote:
| Indeed, I think human life is so much more precious and yet
| we barely even pay for something critical to it.
| Embarrassing.
| jve wrote:
| So someone found a way to exploit Chrome. Should Google now
| cash you out some dividends they got from Ads, YouTube, GCP,
| Pixel, Android and Waymo so they can really feel that it costs
| them an arm and a leg?
|
| Suddenly incentives are there to apply as a Chrome developer is
| more lucrative than CxO position because one can produce bugs
| for friends to find.
| brohee wrote:
| He had a pretty reliable exploit on the most used browser, pretty
| sure it he could have gotten more tax free on the black market.
|
| Now, with EDR widely deployed it's likely that the exploit usage
| ends up being caught sooner than later, but pretty sure some
| dictatorship intelligence agency would have found all those
| journalists deep compromise worthwhile...
| whatever1 wrote:
| Why not collect from both of the sources? First collect with
| your black hat and then with your white.
| londons_explore wrote:
| Typically can't do that.
|
| Security services tend to anonymously report security flaws
| they use after use against any high value target, since they
| don't want the opponent using those same flaws back at them.
| whatever1 wrote:
| Private sector has the incentive of keeping an exploit open
| for as long as possible. Several cases with iPhone exploits
| that were apparently open (and sold) for years.
| ajb wrote:
| "If I report the body, no-one will suspect I'm the murderer"
|
| Yes they will.
| johnisgood wrote:
| Which is why people are hesitant to report a body they have
| not killed, just found!
| BaseBaal wrote:
| Can usually report anonymously so this shouldn't be an
| issue. If there's no mechanism for that then yeah I'd
| consider keeping my mouth shut if it doesn't involve me
| directly (like the body is in my home somehow).
| XorNot wrote:
| Except if you're not the murderer, then there'll be
| little evidence pointing to you.
|
| If you are the murderer, there will be.
| johnisgood wrote:
| It is not so black and white.
| ChrisRR wrote:
| Because you'll get found out and never employed as a security
| researcher again
| elcritch wrote:
| Perhaps but won't some of those blackhats pay $1 million or
| more? Depending where you live that's retirement money.
|
| Honestly I'd be more worried about crossing the blackhats.
| brohee wrote:
| An exploit that is used is an exploit that will eventually
| leave traces that an analyst will look at (if used on a
| corporate PC)... Either you use it very sparingly on HVT or
| you end up on the EDR radars and some IOC will be made public
| eventually.
| saagarjha wrote:
| Black hats will not pay you for an exploit that dies quickly
| once the white hats get your report. White hats will not pay
| you for an exploit that you fenced to a black hat agency and
| showed up in the wild.
| Wowfunhappy wrote:
| > White hats will not pay you for an exploit that you
| fenced to a black hat agency and showed up in the wild.
|
| ...come to think of it, how does that work? Aren't the most
| important exploits to patch the ones being actively used in
| the wild?
|
| In other words, how do they avoid someone playing both
| sides? "I found an exploit being used by the LEETH4X0R
| malware [which was in fact created by the guy I sold this
| exploit to] to steal people's gmail cookies."
|
| You'd have to find out about LEETH4X0R before other
| researchers, but of course, you'd have a head start.
| tptacek wrote:
| First, it's not "black market" vs. "non-black market"; most
| remunerative sales outside of bounty programs are _grey-
| market_ --- mostly lawful, but all under the table, largely
| because they 're to agencies that are protective of their
| sources and methods.
|
| The mechanism grey-market buyers have to protect their
| interests against over-selling bugs is tranched payments.
| Sellers make much of their returns from bugs on the back end
| through "maintenance agreements", which both require the
| seller to keep e.g. the offsets in their exploits current and
| reliable against new patch levels of the target, and also
| serve to cut off payment once the vendor kills the bug.
|
| If you sell to both sides, you quickly kill the back end
| business from the grey market buyers. If you sell to too many
| or too sketchy grey market buyers, the bug leaks --- vendors
| see it exploited "in the wild", capture samples, kill the
| bug; same outcome: tranched payments stop.
|
| This is one reason it can make sense to take a bounty payment
| that is substantially smaller than what a bug might be worth
| on the market: you get certainty of payment. Another reason
| is that the bounty program will only want POC code (perhaps
| proof of reliability in addition to just exploitability),
| while the market will want a complete enablement package,
| which is a lot of work.
| andersa wrote:
| What if people start asking questions where you got the million
| dollars from? I've never understood how those presumably
| illegal markets can function with such large sums involved.
| bravesoul2 wrote:
| That is why money laundering exists.
| mrheosuper wrote:
| not if millions of dollars is bitcoin
| Reasoning wrote:
| Money laundering, give the money to a shell company and have
| them report it as income. Obviously not that simple but
| that's the basic explanation.
| saagarjha wrote:
| They're not illegal.
| atemerev wrote:
| You are a security researcher. Your mind is trained to find
| and mitigate vulnerabilities. Including the vulnerabilities
| in finance / tax reporting.
|
| You'll think of something. If you can hack one system, you
| can hack another.
|
| $250k fully legally and with recognition is probably a good
| incentive not to bother. White hats have their privileges.
| bravesoul2 wrote:
| Not really tax free lol! In both cases you arent getting
| withholding so you need to declare it.
| brohee wrote:
| Some exploits are sold bag of cash under a table. See e.g.
| https://news.ycombinator.com/item?id=20651607
|
| Your hookers and blow dealers won't report you to the taxman.
| saagarjha wrote:
| Sure, but your car dealer will.
| bravesoul2 wrote:
| Lol. HN the famously "confidently incorrect" forum
| especially on-coding topics is not my lawyer.
|
| And yeah if you want normal stuff like a house or car you'd
| need to wash the money. How do I know? Breaking Bad. Which
| lets be honest is probably for most of us, our only
| reference point here.
| idiotsecant wrote:
| Just use your ill gotten gains slowly for your regular
| living expenses, or a portion of them. Let your legit
| money stack up. Don't cross contaminate the two. EZPZ
| very unlikely to get caught.
| XorNot wrote:
| Hey now, for me it was late primary or early secondary
| school and the book "45+47 Stella St and everything that
| happened"[1]
|
| [1] https://www.elizabethhoney.com/45--47-stella-
| street.html
| drdec wrote:
| The reason you do money laundering is because the source
| of the funds is illegal. If the source of the funds is
| legal, just claim it. There are plenty of occupations
| that get paid in cash and are expected to report it.
|
| The IRS isn't referring suspicious (whatever that means)
| tax returns to the authorities. What happens if you are a
| criminal is that the authorities have there attention on
| you because you are doing illegal things. One angle of
| attack for them is your finances. That is why money
| laundering exists.
| bravesoul2 wrote:
| Maybe the reason is the other way around. To convincingly
| wash money you need a legitimate looking shell business.
| And it needs to pay tax for the reason any other
| bsmusiness does.
| mike_hearn wrote:
| Selling something to the black market doesn't magically make it
| tax free. It's almost the opposite. The money is going to show
| up in your auditable accounts sooner or later, so it's best to
| pay tax on it, but you'll also have to come up with a fake but
| auditable story of where it came from, meaning you'll have to
| engage the services of professional money launderers. They will
| also take a cut. So, it's like paying tax twice.
|
| Getting paid in cryptocurrency isn't necessarily a dodge either
| because even if you claim you mined it or something, the
| authorities have got wise to this a while ago IIUC and will
| expect to see evidence to back that claim up too.
| charcircuit wrote:
| Selling an exploit is not illegal so why bother with money
| laundering?
| XorNot wrote:
| Because the people buying it don't get their money from
| legal sources, nor engage in legal business activities.
|
| They also have every incentive to make sure you're guilty
| enough to not go blab to the authorities later, or sell it
| to someone else.
|
| And since you're trying to be anonymous in this, you aren't
| going to be getting a regular tax receipt either.
| drdec wrote:
| If you did not commit a crime to receive the money, there
| is no reason for money laundering (at least in the US).
| The IRS does not care as long as you claim it. You don't
| need a fancy story or anything, just claim the income.
| Zinu wrote:
| The money itself might not be dirty, couldn't you just claim
| something like "I sold a secret, highly valuable algorithm to
| this guy"? Tax would still need to be paid of course
| remus wrote:
| Immediate follow up questions from the tax man, and then
| shortly afterwards the police "who is this guy? where is
| the invoice? what is his phone number?"
| Enginerrrd wrote:
| No, it doesnt typically work that way at all. The tax man
| just wants to get paid.
|
| I grew up in an area known for people growing cannabis
| before it was legal. An enormous amount of taxes got
| dodged through cash land deals, but tons of people just
| claimed the income under various categories and no one
| ever came knocking because of that.
|
| Its usually the other way around. If you caught the Fed's
| eye, then they might try to get you on tax evasion or
| something. Although, frankly even that was very rare.
| There are just a lot of very obvious fish to fry.
| sidewndr46 wrote:
| Are you talking about the IRS at the Federal level or
| someone else in the US?
| nkrisc wrote:
| And when they ask you who "this guy" is?
| gruez wrote:
| For the people downvoting, that's unironically a thing:
|
| https://www.irs.gov/publications/p525#en_US_2024_publink100
| 0...
|
| >Illegal activities.
|
| >Income from illegal activities, such as money from dealing
| illegal drugs, must be included in your income on Schedule
| 1 (Form 1040), line 8z, or on Schedule C (Form 1040) if
| from your self-employment activity.
| jama211 wrote:
| You underestimate the tax auditors.
| idiotsecant wrote:
| If you get paid in crypto, leave it in crypto, and just trade
| crypto for goods or services uncle sam is none the wiser.
| tantalor wrote:
| Terrible advice
| jacquesm wrote:
| Up to here you weren't committing any crimes.
|
| > but you'll also have to come up with a fake but auditable
| story of where it came from
|
| And now you did.
| mike_hearn wrote:
| Dubious; seems like if you know you're selling exploits to
| criminals you could be done on a conspiracy charge.
| tantalor wrote:
| Sorry, do you mean the comment was describing hypothetical
| crimes, or literally the comment itself was criminal?
| gosub100 wrote:
| Lying to government officials is a crime. Including
| saying you mined the crypto instead of getting paid for
| selling a vuln
| danjc wrote:
| This is true for all crime.
| edent wrote:
| > pretty sure it he could have gotten more tax free on the
| black market.
|
| How?
|
| I've been paid by bug bounties (although not that big) and I
| have no idea how I would find a trustworthy criminal to sell
| to.
|
| I guess I'd need to find a forum? Unless my opsec is exemplary
| then I'm risking being exposed. I'd need to vet that the buyer
| would actually pay me and not just steal it from me. Even if
| they do pay me, I'd be worried that they'd blackmail me or try
| to extract something from me. But assuming they're good black-
| marketeers, I still have to explain to the authorities where
| this large amount of cash came from.
|
| So how do I go about selling to the black market in a safe way?
|
| Oh, and I don't get to write a blog post about the bug or get
| my name in front of other researchers and recruiters. That can
| be worth a huge amount - both in cash and reputation.
| NoahZuniga wrote:
| > How
|
| There are companies that specialize in getting grey market
| bugs in important software, ie browsers and OSes. They are
| repwat players and have a reputation to actually pay out.
| edent wrote:
| OK. But how do I find _them_? And, again, how do I assess
| their reputation and likelihood of paying me.
|
| How much of a premium are they paying to make it
| worthwhile?
| nevi-me wrote:
| And do those companies facilitate black market
| transactions that would be tax-free?
| heisenbit wrote:
| I would consider it a deferred tax. You pay iff you are
| caught by the tax man with interest (and a potential
| bonus of a tax free holiday in a state sponsored
| facility). Better arrangements may be available if you
| are rich enough so you can get experts to arrange your
| taxes being legally deferred effectively after you died.
| le-mark wrote:
| It's another wrinkle GP didn't get to. If you are paid,
| how to launder the money? Presumably you'd get a shiesty
| lawyer to buy you a nail salon ala breaking bad.
| baobun wrote:
| If you need all that spelled out it's probably not a
| market for you.
|
| You can find some by researching. AIUI most intros are
| via personal connections. I'd be wary of the potential
| ethical implications. There is more than money to life.
| madeofpalk wrote:
| Which, basically, is their whole point.
| saagarjha wrote:
| Have an established track record of finding high quality
| bugs and network with people in that space and you'll
| eventually get introduced to the right people.
| sureglymop wrote:
| I mean you just search on google... Zerodium, Crowdfense,
| Exodus Intelligence, etc.
|
| Sure, I'd say the "sell it elsewhere" stuff is always a
| bit overly optimistic but due to the nature of this
| specific exploit I am pretty sure you could find a buyer
| offering good compensation.
| tptacek wrote:
| Does Zerodium even exist anymore? The impression I have
| is that people seriously selling clientsides weren't
| going through any firm a typical message board thread
| would be talking about.
| landr0id wrote:
| Just search for vulnerability or 0day acquisition
| platforms and do some research into the companies. All of
| them are kinda shady but there are some which only sell
| to Five Eyes if you want to be "moral"
|
| You can also go through ZDI (owned by Trend Micro), but
| the payout will be lower. It's in Trend Micro's interest
| so they can get ahead in detections.
| gosub100 wrote:
| I can't answer your question, but one of the ways trust
| works is you share the vuln with an escrow person, which
| I think is someone on the forum with very high rep. They
| take the vuln from you, confirm it works, and ensure that
| you get paid from the end buyer.
| Thorrez wrote:
| From what I understand, they generally require complete
| reliable exploits. I don't think they generally buy proofs
| of concept, or exploits that only work some percent of the
| time. This specific exploit worked 80% of the time, which
| I'm not sure is good enough for them.
|
| Yes, maybe the exploit could likely be modified to be more
| reliable. That's more work though.
| c-c-c-c-c wrote:
| Thats what trusted middle men are for, instead of gaining rep
| among infosec posers on twitter you build rep under your
| anonymous alias. This is nothing new.
|
| Or just sell it to the israelis.
| brcmthrowaway wrote:
| Bahah, best description of the anime avatar people
| jacquesm wrote:
| > a trustworthy criminal
|
| Not going to happen.
| jrflowers wrote:
| You know most criminal enterprises are based pretty much
| solely on trust right? Like that is how a lot of crime gets
| done
| jacquesm wrote:
| 'There is no honor amongst thieves' is a proverb for a
| reason. Case in point, my nephew, who got shot at point
| blank range (from behind, no less) by his 'best friend'.
| Criminals trust each other just long enough until there
| is a way to get ahead at the expense of the other.
|
| Between 'calculative trust' and 'personality based trust'
| there are many poles (and other varieties of trust
| besides), on the whole you're much better of trusting a
| non-criminal than a criminal.
| rdl wrote:
| Mostly the best market is intelligence agency vendors. As a
| US citizen, I would only be comfortable selling to US
| contractors. There are a bunch; if you go to conferences you
| probably meet the people there (look at the sponsors...).
|
| It won't be tax-free, though; you'd probably get a 1099, but
| if you're smart could set it up as corp to corp and deduct a
| bunch of other expenses from it. Part of the sale is signing
| a bunch of NDAs, etc so you can't then release it to others.
| handfuloflight wrote:
| How does
| https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act
| play into that?
| mikepurvis wrote:
| Off the cuff, I'd guess that any official documentation
| would be around the sale of "research" and not "an
| exploit". Depending how classy the buyer was about it,
| there might or might not be an offline wink and nudge.
| Sephr wrote:
| Selling exploits doesn't inherently violate the CFAA.
| kube-system wrote:
| The CFAA makes it illegal to exceed authorized access to
| any 'protected computer' (in practice, basically any
| computer).
|
| The exploit developer avoids violating the CFAA by
| developing the exploit on their own computer... because
| you are authorized to access your own computer.
|
| The government doesn't violate the CFAA when using
| exploits because government agencies are exempt under 18
| USC SS 1030 (f)
| tptacek wrote:
| Not a lawyer, do pay a lot of attention to this area for
| professional reasons. Answer: it doesn't, unless you (1)
| found the vulnerability through methods that themselves
| violate CFAA (for instance, by breaking into a remote
| computer), or (2) sold information about the
| vulnerability knowing that it would be used for a
| _particular_ set of crimes, in which case you can get
| accomplice liability for those crimes.
|
| CFAA doesn't have anything to say about vulnerability
| research itself. You'd be just as liable as an accomplice
| if you knowingly and deliberately provided free wi-fi to
| a hacker.
| trhway wrote:
| >Mostly the best market is intelligence agency vendors.
|
| That makes me wonder - may be the original bug was really a
| backdoor created as a result of a deal with an intelligence
| agency/vendor. So, can it be that Google gets money (or
| more generally some kind of browny points; also interesting
| aspect - giving that the agencies may exploit individual
| engineers, it would seem to be more preferable for the
| company to play ball and have it organized under the
| company's control) for a backdoor, and once backdoor is
| found - pays the bug bounty. The bug bounty is thus a kind
| of backdoor quality control program :)
| encom wrote:
| You'll probably end up with 40 subscriptions to Vibe
| magazine.
| saagarjha wrote:
| > Now, with EDR widely deployed it's likely that the exploit
| usage ends up being caught sooner than later
|
| lol
| brohee wrote:
| Why? If you actually exit the sandbox you'll start leaving
| traces, and eventually you'll slip and be looked at. That's
| part of the story EDR vendors sell at least.
|
| You can't deny that you are way more likely to burn the
| exploit using it on a machine under watch than on a machine
| that is not...
| msh wrote:
| If you got it tax free you would run the risk of being
| prosecuted for tax evasion, would that really be worth it?
| dadrian wrote:
| You still have to pay taxes on income from non-bug bounty
| vulnerability markets, be it to law enforcement, brokers, or
| criminals.
| tptacek wrote:
| Yes; this is the one case where there's a liquid market for
| these kinds of vulnerabilities. The important detail: for these
| (and only these) bugs, you can sell them _multiple times_ ; for
| instance, firms exist that specialize in selling these bugs and
| their enablement packages to, say, every law enforcement and
| intelligence agency in a single country.
| QuadrupleA wrote:
| Everybody here is coldly evaluating the financial profit
| comparison. How about being a decent human being, and not
| enabling hundreds of criminals to hurt millions of people
| because your net income is potentially better?
| klysm wrote:
| People are evaluating this from a cold perspective to see if
| the system is working as designed or not.
| QuadrupleA wrote:
| Hopefully decency reduces the necessary price a little.
| tptacek wrote:
| People are fixated, across this thread, on a black market of
| organized criminals buying vulnerabilities, but for the most
| part criminals aren't the real alternative market buyers for
| high-end vulnerabilities, and while people on message boards
| may incline towards viewing IC and LEO agencies as themselves
| criminal, I think you'll find a pretty substantial fraction
| of normal people find supplying IC/LEO agencies as more than
| just decent; praiseworthy, even.
|
| That thorny ethical issue aside, I'm fond of pointing out
| that the IC's main alternative to CNE intelligence collection
| is human intelligence, and the cost of HUMINT simply in
| employee benefits dwarfs any near-term possible cost of
| exploit enablement packages; 7 figures is a pittance
| (remember: most major western governments are essentially
| benefits management organizations with standing armies).
|
| Even given the seemingly vast sums earned by organized crime,
| government buyers are positioned to decisively outbid crime
| over the medium term. It's really early days for these
| markets.
| pyrale wrote:
| Not commenting about the ic/leo part specifically, but
| there is a pretty abundant body of work on what "normal"
| people are willing to do, as long as they find a way to
| rationalize it away. The banality of evil is well
| documented.
|
| In that light, what others would do is rarely a reliable
| indicator that you shouldn't think twice about your
| actions, lest you regret later, once the thinking has
| happened.
| tptacek wrote:
| I have no idea what any of this has to do with anything I
| just wrote, I'm sorry.
| pyrale wrote:
| I was commenting on your point that a pretty substantial
| fraction of normal people find some actions decent, and
| even praiseworthy.
|
| My point is that this fact shouldn't belong in a
| discussion about ethics, given how often widely held
| moral positions have come to be a source of regret.
| omoikane wrote:
| > pretty sure it he could have gotten more tax free on the
| black market.
|
| Not necessarily. On slide 72 of this presentation, it says
| sandbox escape or bypass for Chrome is worth up to $200000:
|
| https://nocomplexity.com/wp-content/uploads/2024/06/bluehat2...
|
| (I originally found this presentation on github[1], but github
| seems down right now[2].)
|
| [1]
| https://github.com/mdowd79/presentations/blob/main/bluehat20...
|
| [2]
| https://www.reddit.com/r/github/comments/1mnlgc5/is_github_d...
| miohtama wrote:
| Mossad and its subsidiaries like NSO pay $1M
|
| https://citizenlab.ca/2016/08/million-dollar-dissident-
| iphon...
| tptacek wrote:
| NSO is one of dozens of firms that do this work; people are
| just fixated on NSO because it's the one broker/enablement
| firm they've actually heard of. The fact that you know who
| you are should make you less confident in their ability,
| not more.
| helsinkiandrew wrote:
| Link to the reward comment:
|
| https://issues.chromium.org/issues/412578726#comment26
| strstr wrote:
| " Default disclosure for this issue is 11 August. Opening this
| issue just five days early for visibility this particular week.
| :)"
|
| Hello Defcon!
| colbyn wrote:
| Suppose someone wanted to dive into other projects with the
| ambition of finding high value bugs. Besides chromium what would
| you recommend or consider? What would be your thought process for
| deciding what projects to look into?
| kafrofrite wrote:
| The answer to your question is WebKit (because iOS), kernels
| (XNU, Linux, Windows) etc. In case you are not familiar with
| the domain I'd start with user-space exploitation and relevant
| write ups to get my feet wet. You'll find plenty of write ups,
| blogs etc. so I'll skip those. Some of the books I generally
| found interesting are [1],[2], [3]. There's more to that,
| including fundamental concepts of CS (e.g., compilers and
| optimization in JITs, OS architecture etc.). I believe also
| https://p.ost2.fyi/dashboard has some relevant training.
|
| [1] https://nostarch.com/zero-day
|
| [2] https://nostarch.com/hacking2.htm
|
| [3]
| https://ia801309.us.archive.org/26/items/Wiley.The.Shellcode...
| dontdoxxme wrote:
| Bugs are "High value" in different ways, you have to find the
| companies willing to pay highly. Most of the high payers are on
| bug bounty programs (like hackerone.com) and don't always give
| you ability to talk about bugs later.
|
| Google is quite unique here, particularly given Chrome is
| paying easily 10x what Mozilla would for a sandbox escape.
| Apple is in the middle -- per [1] a "WebContent sandbox escape"
| would be $50k, but to get $250k on their scale you need to
| combine that with a kernel bug.
|
| So if you want to optimise for "value", you have to pick the
| targets that are easier (still not easy, obviously).
|
| [1]: https://security.apple.com/bounty/categories/
| OutOfHere wrote:
| It is unfortunate that there is no web browser in a memory safe
| language. As I understand, both Chromium and Firefox use C++,
| although Firefox partly uses Rust. This has put billions of
| people at risk.
| qcnguy wrote:
| This bug is a logic error iiuc so language wouldn't help.
| acer4666 wrote:
| This post is about a logic bug that could have happened in any
| language
| camdroidw wrote:
| Servo project is active and probably usable in a year or two
| (but as others have said this bug is different)
| PhilipRoman wrote:
| One of the biggest security holes is the JIT engine, rewriting
| it in Rust or any other language wouldn't make a difference,
| since it is effectively an inner platform.
| dig1 wrote:
| Sandbox escape with high-quality report in Chrome: $250k [1], yet
| Mozilla will offer you $20k [2] for that...
|
| [1] https://bughunters.google.com/about/rules/chrome-
| friends/574...
|
| [2] https://www.mozilla.org/en-US/security/client-bug-bounty/
| mosselman wrote:
| Have you looked at the financial health of the one company vs
| the other? I am pretty sure Google is making more than 10x the
| money Mozilla is making.
| MrGilbert wrote:
| According to Wikipedia, that's 0.012% of their net income. [0]
| While I'm being told in the comments that this is not the way
| to look at it, it means that this is, percentage wise, 50x the
| amount that Google is paying.
|
| Sounds fine to me.
|
| [0]: https://en.wikipedia.org/wiki/Mozilla_Corporation
|
| _/ /Edit: Had a typo in my percentage. 20.000 of 157.000.000
| is, indeed, 0.012% - that makes it 50x the amount of Google's
| percentage._
| FirmwareBurner wrote:
| _> According to Wikipedia, that's 0.0012% of their net
| income._
|
| How much of the Mozilla foundation's income goes into product
| development nowadays?
| Ray20 wrote:
| Do you imply that it's not 5x, but 500x of what Google
| pays? /s
| MrGilbert wrote:
| 260 Mio. USD, as answered by the linked article, though the
| numbers only go up to 2023. So "nowadays" is a bit of a
| stretch.
| morpheuskafka wrote:
| But Chrome is paying more as a percentage of their browser
| units' income, no?
|
| Virtually all of Mozilla's income comes from the browser (via
| the Google search agreement). The vast majority of Google's
| revenue comes from ad revenue on search, YouTube, and
| Adsense. Not from Chrome directly. So they had less incentive
| to reward its security, but did so anyway. And they also do
| some of the best work in the industry, free, for competitors
| via Project Zero.
| victorbjorklund wrote:
| The browser totally has zero to do with google ads. Totally
| no connection at all.
| alxeder wrote:
| the browser did limit the capabilities of adblockers
| quite drastically lately, but this is surly a
| coincidence.
| Arnt wrote:
| People keep saying that. There are two problems with
| that, namely 1 Google's own ads are easy to block using
| the new API and 2 the new API is effective at blocking
| various evil attacks. If Google wanted to get rid of ad
| blockers, I'm sure they could come up with an API that
| does a better job than that.
|
| https://textslashplain.com/2024/10/13/content-blocking-
| in-ma... shows a ten-line ad blocker that blocks Google's
| ads, https://github.com/extesy/hoverzoom/discussions/670
| is a list of polite email messages from people who'd like
| to have elevated access to browsers.
| Rohansi wrote:
| Don't forget about YouTube!
| crazygringo wrote:
| What about YouTube?
|
| uBlock Origin Lite blocks YouTube ads just fine.
| Rohansi wrote:
| Not for everyone.
|
| Do you really think Google wouldn't do anything about as
| blockers? Especially now that no ads is one of the
| selling points of YouTube Premium?
| crazygringo wrote:
| Have you tried? There's a strength setting to the
| extension. At max strength it's been blocking all YT ads
| for a while.
|
| And it doesn't matter what I think about it. I'm giving
| you facts not opinions.
| Arnt wrote:
| Well, maybe.
|
| Personally I believe that the browser is intended to
| defend against e.g. Facebook's apps. Google wants to make
| sure that if you buy a new device and it comes with a
| Facebook app preinstalled, it also comes with a browser.
| And that the browser isn't controlled by anyone who'd
| like to disrupt any of Google's many nice income streams.
| fny wrote:
| Do you pay a software engineer for their time based on your
| revenue or his skill?
| tossandthrow wrote:
| Mostly based on revenue - or at least that is the way we
| are going.
|
| That is why you see equivalent skill levels being paid
| differently in big tech compared to other places.
|
| And why you see millions in salaries at some big techs Ai
| hiring.
| ponector wrote:
| Not at all. Corporation always pays as little as
| possible. Unless we are talking about CEO levels...
| yaseer wrote:
| Both - these are the two sides of the market, aka supply
| and demand.
| LauraMedia wrote:
| If you don't have the revenue, you don't pay them at all,
| because you don't actually employ them.
|
| It's really no secret that higher revenue means higher
| potential pay/more devs...
| ndr wrote:
| Be somewhat competitive to what such developers could get
| on the black market. Discounting the ethics.
|
| Surely a bug on Chrome is worth more than a bug on Firefox.
| UncleMeat wrote:
| Should I be competitive with meth manufacturers when I
| buy prescription cold medicine from a pharmacist?
| fkyoureadthedoc wrote:
| This is the complete opposite in every facet. I struggle
| to think of a worse analogy.
| Danjoe4 wrote:
| Bad analogy, but yes actually. This is one reason people
| buy drugs from illegal online pharmacies - cost. I
| ndr wrote:
| To the extent that meth is a viable substitute for cold
| medicine you'll have those prices correlating.
|
| But more to your point: the bounty is more similar to an
| auction. Once you sell the bug to the software producer
| the black market has no more use of it, assuming it gets
| fixed.
|
| Supply is constrained, so competition is on the demand
| side.
|
| On the drug example demand is constrained, if you're the
| only buyer. So competition happens on the supply side.
| woadwarrior01 wrote:
| If only they'd use a similar rubric to rein in their CEO
| comp[1].
|
| [1]: https://news.ycombinator.com/item?id=24132168
| exizt88 wrote:
| Is their CEO comp not in line with the market?
| Almondsetat wrote:
| Are Mozilla's earning in line with the market?
| ToucanLoucan wrote:
| That's a bad rubric to judge by, in this case. CEO pay is
| at a historic high, in fact I'm pretty sure the last time
| the gap in wage between median workers and CEOs was this
| high was the roaring 20's, which famously went quite well
| for the economy.
| amiga386 wrote:
| No. More than 80% of Mozilla Corp's income is a yearly
| payment from Google. [0]
|
| The payment will stop immediately if Google thinks it's
| no longer needed, or if federal prosecutors (who have
| determined this payment is _illegal_ ) decide the remedy
| is to stop the payment. [1]
|
| The CEO's job is simple. Say "I think we should take
| Google's money again this year", and then pocket several
| million of it. Ca-ching! What are your plans for post-
| Google-money? Uh uh... AI? Sell out our users to
| advertisers? [2] It's not looking good.
|
| The Firefox market share continues to dwindle. The board
| continues to hob-nob with San Francisco socialites and
| "activists" and use Mozilla as a piggybank to fund their
| chums. [edit: removed line about Mitchell Baker as she
| does seem to have finally left]
|
| [0] https://en.wikipedia.org/wiki/Mozilla_Corporation#Fin
| ances
|
| [1] https://www.bloomberg.com/news/articles/2024-08-05/go
| ogle-lo...
|
| [2] https://news.ycombinator.com/item?id=43185909
| sciurus wrote:
| > Mitchell Baker did not leave the gravy train by
| stepping down as CEO, she merely moved to a different
| seat on the gravy train - chair of the Mozilla Foundation
|
| Mitchell has not been a member of the Mozilla Foundation
| or Mozilla Corporation boards since February 2025.
|
| https://blog.mozilla.org/en/mozilla/mozilla-leadership-
| growt...
| amiga386 wrote:
| Thanks for noting that, I hadn't realised. I've edited
| out that line.
| rvz wrote:
| Tells you who is more serious about security. A quarter of $1M
| is a fair price for this type of bug.
|
| Won't complain about that.
| markdown wrote:
| > Tells you who is more serious about security.
|
| Yup, clearly Mozilla.
|
| $250k is loose change for Google.
| perching_aix wrote:
| Really doesn't tell me piss all, as I'm not privy to their
| respective overall cash flow. Are you, considering you say it
| does for you?
|
| Is monetary expenditure on vulnerability payouts really the
| primary determinent of who's taking security more seriously,
| by the way? Sounds a bit backwards to me.
| tossandthrow wrote:
| Just like you personally obviously don't care about your
| personal security when you do not pay a team of body guards
| 250k a year.
| camdroidw wrote:
| * Compare income * Compare market share * Compare market share
| normalised by likelihood of attack yielding benefit, in short--
| fx users would be power users probably more likely to have
| other ways to mitigate an attack
|
| * Or basically just compare black market prices which already
| taken the above 3 into account
| xbmcuser wrote:
| Chrome has 15-20 times the users that firefox in the
| blackmarket the bug would sell for similar ratio. Safari might
| go for more as it has more rich and tech security illiterate
| users.
| catsma21 wrote:
| disagree. more marketshare does not mean juicier targets,
| which, in this case, would be tor users. in addition, you
| don't buy an exploit to use it en masse, that would get it
| burned really quickly
| tptacek wrote:
| More market share does in fact impact availability of
| targets, but in the case of Firefox it's just as much a
| factor that there are more bugs and exploits floating
| around.
| tptacek wrote:
| The grey market also offers much less for Firefox
| vulnerabilities, for reasons of both supply and of demand.
| jancsika wrote:
| It'd be fun to do a sketch that's a montage of an array of HN
| armchair quarterbacks rolling up their sleeves and taking
| short-lived shots at CEO for Mozilla.
|
| Marching into the home office, kicking butt, and pointing at
| the whiteboard for their favorite pet project:
|
| * Mozilla focusing on privacy
|
| * Mozilla focusing on web standards
|
| * Mozilla focusing on speed
|
| * Mozilla (apparently, here) focusing on maximizing the size of
| payouts for bug bounties
|
| Inspiring, Rocky-style music plays in the background.
|
| In the foreground, a red line continuously traces slowly
| downward, with no perceivable relationship to the scenes in the
| montage.
| matsemann wrote:
| Is there somewhere explaining this bug in terms understandable
| for someone not dabbling in this?
|
| I don't really understand how this works to "escape the sandbox".
| Normally it's like a website you visit that get access it
| shouldn't have. But this talk about renderers and native apis
| make it seem like it's stuff another process on the computer
| would do?
| Retr0id wrote:
| First you compromise the renderer process via e.g. a bug in the
| JS engine. But even if you have native code execution in the
| context of the renderer process, you're still in a sandbox.
|
| The bug in the OP is for the second stage - breaking out of the
| sandbox.
|
| The referenced `patch.diff` is basically for simulating a
| compromised renderer.
| matsemann wrote:
| Ah, so it's like a two stage rocket, this turns a small
| exploit into a humongous one?
| baobabKoodaa wrote:
| This sounds like a good way to think about exploit chains
| (though I'm not an expert)
| tetha wrote:
| Or an escape room, indeed.
|
| Once you're thinking along the lines of "Alright, if I had
| some order of flags, I could solve that thing over there.
| If I knew some kind of weights, I could solve that over
| there. And if I could find a light bulb I could deal with
| that over there", you're kinda in the mindset of finding an
| exploitation chain.
|
| It's just that in the security world, it's more about bad
| memory accesses, confusing programs into doing the right
| actions with wrong files, file permissions being weird and
| such.
| Retr0id wrote:
| Sorta, although I wouldn't necessarily call the first
| exploit "small", it's at least equally important in the
| overall chain. "Chain" being the more usual metaphor, for
| this reason.
| bialpio wrote:
| Yes. Chrome has multi-process architecture, with renderer
| processes running in a sandbox. They are the ones that deal
| with untrusted stuff coming from the Internet and so it is
| safe to assume that they can be compromised (relatively)
| easily. The puppet master for all those processes is the
| browser process, and it is Really Bad if you could exploit
| it. The described bug presumably does it (note how "sandbox
| escape" was used in one of the comments), but I'm not
| competent enough to say exactly how. ;)
|
| Edit: just wanted to riff on your analogy. It is relatively
| simple to crash/shoot down a rocket, but this exploit gets
| into the control room and could allow the attacker to see
| where all other rockets are going & maybe redirect/crash
| them.
| kristianp wrote:
| > The referenced `patch.diff` is basically for simulating a
| compromised renderer.
|
| The patch.diff part is hard to understand. Surely if you have
| a compromised renderer, you have effectively full access to
| the machine already?
| Retr0id wrote:
| No, because of the sandbox.
| saagarjha wrote:
| Modern browsers have multiple processes with different
| sandbox policies. The renderer process handles untrusted
| web content and is heavily sandboxed. The browser process
| does all the other stuff required to interact with your
| computer (and is generally much less isolated).
| pests wrote:
| The main browser process treats the renderer as
| untrustworthy/potentially hostile. A compromised renderer
| is in the threat model.
| mkagenius wrote:
| Impressive speed on rewarding as well. Around 4 weeks.
|
| Lot of companies will sit for months just to acknowledge your
| submission.
| BillLumbergh wrote:
| Google have money to burn though.
| AJRF wrote:
| I wonder how much the black market would pay for an exploit like
| that - anyone know?
| defraudbah wrote:
| not 250k for sure :)
|
| Google security team is really good, however sometimes things
| are controversial because certain bugs gets ignored in MS-way
| which is famous for not paying/not fixing.
| tptacek wrote:
| Grey market, not black. It's been several months since I've
| talked to anyone in the space but full-chain reliable quiet
| Chrome exploit packages were high six figures, with discussions
| starting about bugs reaching 7 figures imminently, and the
| people I talked to might have been talking that down (or
| talking it up).
|
| Again, remember that grey market payouts are tranched, so you
| could get 3x more than Google would pay, or you could get 0.5x,
| and for _much_ more work.
| ertucetin wrote:
| Does this mean engineers of Google can't fix it?
| saagarjha wrote:
| No, it was fixed after it was reported.
| austin-cheney wrote:
| I didn't get anything for my JavaScript recursive reference
| failure defect report a decade ago, but then it also wasn't a
| sev1 security compromise defect either.
| geertj wrote:
| Of note, this is a logic/timing bug, and Rust would not have
| prevented this.
| Avamander wrote:
| Although seeing these bugs fixed and getting rewarded for finding
| them is great, I still think that Microsoft's idea of
| virtualising the entire browser process was genius. It also feels
| better than any "lockdown"-like mode that maybe just disables
| some JIT engine or two.
|
| I'd really like that on both Linux and macOS.
| brcmthrowaway wrote:
| Are there people who work full time from income on bug bounties?
| landr0id wrote:
| Yes. There are plenty of folks who submit to the company I work
| for who live in regions of the world that are extremely low
| cost of living/salary (in USD terms) and most BB programs pay
| out fixed USD rates. It can be very lucrative.
| tptacek wrote:
| To add to the sibling comment, there are also many different
| ways of making a living doing this stuff:
|
| * You can find killer clientside bugs where the bounty will
| cover a year's worth of compensation (bear in mind you'll get
| maybe 1.5 of these payouts a year on your own if you're good
| but replacement-level)
|
| * You can find these kinds of bugs and work with brokers to
| sell them to grey-market buyers along with enablement/implants
| --- more development work, a little more market risk.
|
| * You can find smaller, easier bugs (serverside, web bugs) that
| get nothing resembling these kinds of payouts but are much
| easier to find, and make good money on volume. This is a much
| more common way of making a living on bounty payments.
| brcmthrowaway wrote:
| This seems harder and riskier than a full time wage - almost
| like a salesman who makes money from commission.
| tptacek wrote:
| The salesperson earning much of their annual take-home from
| variable compensation is one of the most common white
| collar jobs there is.
| tantalor wrote:
| I'm highly skeptical this level of bug bounty would be
| sustainable by whatever company ends up buying Chrome after DOJ
| forces it to be divested.
___________________________________________________________________
(page generated 2025-08-11 23:01 UTC)