According to Wikipedia, that's 0.012% of their net income. [0]
While I'm being told in the comments that this is not the way to look at it, it means that this is, percentage wise, 50x the amount that Google is paying.
No. More than 80% of Mozilla Corp's income is a yearly payment from Google. [0]
The payment will stop immediately if Google thinks it's no longer needed, or if federal prosecutors (who have determined this payment is illegal) decide the remedy is to stop the payment. [1]
The CEO's job is simple. Say "I think we should take Google's money again this year", and then pocket several million of it. Ca-ching! What are your plans for post-Google-money? Uh uh... AI? Sell out our users to advertisers? [2] It's not looking good.
The Firefox market share continues to dwindle. The board continues to hob-nob with San Francisco socialites and "activists" and use Mozilla as a piggybank to fund their chums. Mitchell Baker did not leave the gravy train by stepping down as CEO, she merely moved to a different seat on the gravy train - chair of the Mozilla Foundation, where her salary is less visible.
> Mitchell Baker did not leave the gravy train by stepping down as CEO, she merely moved to a different seat on the gravy train - chair of the Mozilla Foundation
Mitchell has not been a member of the Mozilla Foundation or Mozilla Corporation boards since February 2025.
That's a bad rubric to judge by, in this case. CEO pay is at a historic high, in fact I'm pretty sure the last time the gap in wage between median workers and CEOs was this high was the roaring 20's, which famously went quite well for the economy.
morpheuskafka · 4h ago
But Chrome is paying more as a percentage of their browser units' income, no?
Virtually all of Mozilla's income comes from the browser (via the Google search agreement). The vast majority of Google's revenue comes from ad revenue on search, YouTube, and Adsense. Not from Chrome directly. So they had less incentive to reward its security, but did so anyway. And they also do some of the best work in the industry, free, for competitors via Project Zero.
victorbjorklund · 4h ago
The browser totally has zero to do with google ads. Totally no connection at all.
alxeder · 4h ago
the browser did limit the capabilities of adblockers quite drastically lately, but this is surly a coincidence.
No comments yet
fny · 4h ago
Do you pay a software engineer for their time based on your revenue or his skill?
ndr · 3h ago
Be somewhat competitive to what such developers could get on the black market. Discounting the ethics.
Surely a bug on Chrome is worth more than a bug on Firefox.
UncleMeat · 49m ago
Should I be competitive with meth manufacturers when I buy prescription cold medicine from a pharmacist?
tossandthrow · 4h ago
Mostly based on revenue - or at least that is the way we are going.
That is why you see equivalent skill levels being paid differently in big tech compared to other places.
And why you see millions in salaries at some big techs Ai hiring.
ponector · 3h ago
Not at all. Corporation always pays as little as possible. Unless we are talking about CEO levels...
LauraMedia · 3h ago
If you don't have the revenue, you don't pay them at all, because you don't actually employ them.
It's really no secret that higher revenue means higher potential pay/more devs...
yaseer · 3h ago
Both - these are the two sides of the market, aka supply and demand.
FirmwareBurner · 4h ago
>According to Wikipedia, that's 0.0012% of their net income.
How much of the Mozilla foundation's income goes into product development nowadays?
MrGilbert · 4h ago
260 Mio. USD, as answered by the linked article, though the numbers only go up to 2023. So "nowadays" is a bit of a stretch.
Ray20 · 4h ago
Do you imply that it's not 5x, but 500x of what Google pays? /s
xbmcuser · 2h ago
Chrome has 15-20 times the users that firefox in the blackmarket the bug would sell for similar ratio. Safari might go for more as it has more rich and tech security illiterate users.
mosselman · 5h ago
Have you looked at the financial health of the one company vs the other? I am pretty sure Google is making more than 10x the money Mozilla is making.
camdroidw · 4h ago
* Compare income
* Compare market share
* Compare market share normalised by likelihood of attack yielding benefit, in short-- fx users would be power users probably more likely to have other ways to mitigate an attack
* Or basically just compare black market prices which already taken the above 3 into account
rvz · 5h ago
Tells you who is more serious about security. A quarter of $1M is a fair price for this type of bug.
Won't complain about that.
tossandthrow · 3h ago
Just like you personally obviously don't care about your personal security when you do not pay a team of body guards 250k a year.
perching_aix · 4h ago
Really doesn't tell me piss all, as I'm not privy to their respective overall cash flow. Are you, considering you say it does for you?
Is monetary expenditure on vulnerability payouts really the primary determinent of who's taking security more seriously, by the way? Sounds a bit backwards to me.
markdown · 4h ago
> Tells you who is more serious about security.
Yup, clearly Mozilla.
$250k is loose change for Google.
brohee · 5h ago
He had a pretty reliable exploit on the most used browser, pretty sure it he could have gotten more tax free on the black market.
Now, with EDR widely deployed it's likely that the exploit usage ends up being caught sooner than later, but pretty sure some dictatorship intelligence agency would have found all those journalists deep compromise worthwhile...
edent · 3h ago
> pretty sure it he could have gotten more tax free on the black market.
How?
I've been paid by bug bounties (although not that big) and I have no idea how I would find a trustworthy criminal to sell to.
I guess I'd need to find a forum? Unless my opsec is exemplary then I'm risking being exposed. I'd need to vet that the buyer would actually pay me and not just steal it from me. Even if they do pay me, I'd be worried that they'd blackmail me or try to extract something from me. But assuming they're good black-marketeers, I still have to explain to the authorities where this large amount of cash came from.
So how do I go about selling to the black market in a safe way?
Oh, and I don't get to write a blog post about the bug or get my name in front of other researchers and recruiters. That can be worth a huge amount - both in cash and reputation.
c-c-c-c-c · 25m ago
Thats what trusted middle men are for, instead of gaining rep among infosec posers on twitter you build rep under your anonymous alias. This is nothing new.
Or just sell it to the israelis.
NoahZuniga · 2h ago
> How
There are companies that specialize in getting grey market bugs in important software, ie browsers and OSes. They are repwat players and have a reputation to actually pay out.
Thorrez · 26m ago
From what I understand, they generally require complete reliable exploits. I don't think they generally buy proofs of concept, or exploits that only work some percent of the time. This specific exploit worked 80% of the time, which I'm not sure is good enough for them.
Yes, maybe the exploit could likely be modified to be more reliable. That's more work though.
edent · 2h ago
OK. But how do I find them? And, again, how do I assess their reputation and likelihood of paying me.
How much of a premium are they paying to make it worthwhile?
baobun · 1h ago
If you need all that spelled out it's probably not a market for you.
You can find some by researching. AIUI most intros are via personal connections. I'd be wary of the potential ethical implications. There is more than money to life.
madeofpalk · 50m ago
Which, basically, is their whole point.
nevi-me · 1h ago
And do those companies facilitate black market transactions that would be tax-free?
heisenbit · 1h ago
I would consider it a deferred tax. You pay iff you are caught by the tax man with interest (and a potential bonus of a tax free holiday in a state sponsored facility). Better arrangements may be available if you are rich enough so you can get experts to arrange your taxes being legally deferred effectively after you died.
saagarjha · 1h ago
Have an established track record of finding high quality bugs and network with people in that space and you'll eventually get introduced to the right people.
sureglymop · 1h ago
I mean you just search on google... Zerodium, Crowdfense, Exodus Intelligence, etc.
Sure, I'd say the "sell it elsewhere" stuff is always a bit overly optimistic but due to the nature of this specific exploit I am pretty sure you could find a buyer offering good compensation.
mike_hearn · 4h ago
Selling something to the black market doesn't magically make it tax free. It's almost the opposite. The money is going to show up in your auditable accounts sooner or later, so it's best to pay tax on it, but you'll also have to come up with a fake but auditable story of where it came from, meaning you'll have to engage the services of professional money launderers. They will also take a cut. So, it's like paying tax twice.
Getting paid in cryptocurrency isn't necessarily a dodge either because even if you claim you mined it or something, the authorities have got wise to this a while ago IIUC and will expect to see evidence to back that claim up too.
Zinu · 3h ago
The money itself might not be dirty, couldn’t you just claim something like “I sold a secret, highly valuable algorithm to this guy”? Tax would still need to be paid of course
remus · 3h ago
Immediate follow up questions from the tax man, and then shortly afterwards the police "who is this guy? where is the invoice? what is his phone number?"
nkrisc · 36m ago
And when they ask you who “this guy” is?
charcircuit · 3h ago
Selling an exploit is not illegal so why bother with money laundering?
whatever1 · 4h ago
Why not collect from both of the sources? First collect with your black hat and then with your white.
saagarjha · 1h ago
Black hats will not pay you for an exploit that dies quickly once the white hats get your report. White hats will not pay you for an exploit that you fenced to a black hat agency and showed up in the wild.
Wowfunhappy · 12m ago
> White hats will not pay you for an exploit that you fenced to a black hat agency and showed up in the wild.
...come to think of it, how does that work? Aren't the most important exploits to patch the ones being actively used in the wild?
In other words, how do they avoid someone playing both sides? "I found an exploit being used by the LEETH4X0R malware [which was in fact created by the guy I sold this exploit to] to steal people's gmail cookies."
You'd have to find out about LEETH4X0R before other researchers, but of course, you'd have a head start.
ajb · 4h ago
"If I report the body, no-one will suspect I'm the murderer"
Yes they will.
johnisgood · 4h ago
Which is why people are hesitant to report a body they have not killed, just found!
BaseBaal · 45m ago
Can usually report anonymously so this shouldn't be an issue. If there's no mechanism for that then yeah I'd consider keeping my mouth shut if it doesn't involve me directly (like the body is in my home somehow).
ChrisRR · 4h ago
Because you'll get found out and never employed as a security researcher again
elcritch · 3h ago
Perhaps but won’t some of those blackhats pay $1 million or more? Depending where you live that’s retirement money.
Honestly I’d be more worried about crossing the blackhats.
londons_explore · 4h ago
Typically can't do that.
Security services tend to anonymously report security flaws they use after use against any high value target, since they don't want the opponent using those same flaws back at them.
whatever1 · 4h ago
Private sector has the incentive of keeping an exploit open for as long as possible. Several cases with iPhone exploits that were apparently open (and sold) for years.
brohee · 3h ago
An exploit that is used is an exploit that will eventually leave traces that an analyst will look at (if used on a corporate PC)... Either you use it very sparingly on HVT or you end up on the EDR radars and some IOC will be made public eventually.
andersa · 4h ago
What if people start asking questions where you got the million dollars from? I've never understood how those presumably illegal markets can function with such large sums involved.
saagarjha · 1h ago
They're not illegal.
Reasoning · 4h ago
Money laundering, give the money to a shell company and have them report it as income. Obviously not that simple but that's the basic explanation.
bravesoul2 · 4h ago
That is why money laundering exists.
atemerev · 1h ago
You are a security researcher. Your mind is trained to find and mitigate vulnerabilities. Including the vulnerabilities in finance / tax reporting.
You'll think of something. If you can hack one system, you can hack another.
$250k fully legally and with recognition is probably a good incentive not to bother. White hats have their privileges.
mrheosuper · 4h ago
not if millions of dollars is bitcoin
msh · 1h ago
If you got it tax free you would run the risk of being prosecuted for tax evasion, would that really be worth it?
danjc · 3h ago
This is true for all crime.
bravesoul2 · 4h ago
Not really tax free lol! In both cases you arent getting withholding so you need to declare it.
Impressive. Feel like finding issues like this in such a large project is like looking for a needle in a haystack
georgemcbay · 5h ago
Finding issues in large complex projects is generally easier than smaller projects. More code, more bugs. But its still difficult to find serious issues on the level of a sandbox escape in Chromium just because Google's long-running reward system means lots of people have spent lots of time looking into it, both manually and using automated fuzzer tools.
Back in ye olden days of 2014 I randomly stumbled upon a Chrome issue (wasn't trying to find bugs, was just writing some JavaScript code and noticed a problem) and reported it to Google and they paid me $1,500. Not bad for like half an hour's work to report the issue.
I feel like it's the opposite. In a huge project there's bound to be many weird interactions between components, and it's about picking the important/security relevant ones and finding edge cases. In this case the focus was on the interaction between the renderer process and the broker. That forms a security boundary so it makes sense to focus your efforts there - google will pay for such exploits since they can in theory, when combined with other exploits in the renderer process, lead directly to exploits that can be triggered just by opening a web page. So, yes, chrome is a huge project but the list of security-relevant locations to probe actually isn't actually all that long. That's not to diminish the researchers work, it still takes an insane amount of skill to find these issues.
hnlmorg · 4h ago
Finding a problem that deserves a bug bounty reward is a very different beast to just finding quirks.
I read from one security researchers somewhere that professionals wouldn’t find enough bug bounty worthy problems in high enough frequency to pay their bills. So they’ll sometimes treat things like this more as a supplement to promote their CV rather than as a job itself.
high_na_euv · 5h ago
Kind of life changing money, good to see such rewards
msh · 1h ago
Where I live (Denmark) even if it was tax free you would more or less be unable to purchase an one bedroom apartment in the capital for this amount.
socalgal2 · 3h ago
the first time I got a bonus that big, $240k, I thought it would be life changing. the gov took $100k in taxes. I paid off my car $20k. then when I really thought about it there wasn’t much I could do.
It was not a down payment on a house in LA/SF/NYC. it was not enough to start a company and hire people. If I’d changed my life style to be like a college student and live with roommates then it might have given me 2-3 years of student lifestyle but I was 34 and not prepared to go back to student lifestyle
To be honest it was super disappointing. Of course getting a $240k bonus is a privilege. My only point was it didn’t change my life like I thought it would.
And, that was 25 years ago. today, even a million ($600k after taxes) in those 3 cities won’t likely change your life. Maybe you could put a down payment on a house or pay for your kids college tho but it not the freedom I thought it would be
gambiting · 3h ago
Depends where you live. Where I'm from $240k would buy you a really nice house with lots of land, and you'd have money left over.
>>won’t likely change your life. Maybe you could put a down payment on a house or pay for your kids college tho but it not the freedom I thought it would be
How is being able to put a down paymenent on a house or being able to send your kids to collage debt-free not life changing?
sgjohnson · 3h ago
> How is being able to put a down paymenent on a house or being able to send your kids to collage debt-free not life changing?
Because neither of those are going to change your daily life that much? It simplifies a thing or two, but neither of those things are life-changing.
gambiting · 2h ago
I can only assume you'd say so if you were able to do either of those things in the first place, so yeah, it doesn't feel life changing. It's like winning a car in a radio lottery when you already had a car - yeah pretty cool, but not life changing.
There's a lot of people who can't even imagine ever being able to put down a deposit on a house or to send their kids to collage debt-free. With an amount of money like that you can go from being trapped in a rent hell forever to actually purchasing your own house. Or you can give your kids the education you want to give them. They are major, life changing impacts. Again, to describe it as "simplifes a thing or two" to me implies that you could do them even without this money in which case yeah, it changes very little.
msh · 1h ago
I guess it perspective and where you are in life plus your location in the world, I would have to pay 50% tax on it so well a down payment could be it but I would still have to affort the house.
I have a hard time seeing it as life changing for me, having a decent paying job (not silicon valley developer scale) in a expensive country. Ofc if I was having a low paying career without that many perspective my outlook might differ.
I dont live a place where you pay for your kids being in college so I cant speak for that part.
defraudbah · 2h ago
why comments about taxes get gray here? is it bad behavior in US to discuss taxes?
sgjohnson · 3h ago
Depends on where in the world you are. I wouldn't call $250k life-changing-money anywhere developed.
It's "I can probably stop worrying about money for a while" kind of money, not "life-changing" money. Not a whole lot you can buy for $250k. After taxes, that probably doesn't even buy a house.
handsclean · 1h ago
Can somebody help me understand why these obviously very stupid takes keep popping up on HN? Is it rich people who genuinely have no idea what anything costs? Is it rich people intentionally being cruel to everybody else? Is it people trying to appear rich by pretending they have no idea what anything costs? Is it a bay area thing, are people just blowing through a literal fortune every year and unaware of their spending problems? Is it children whose ideas about money come from “influencers”?
petcat · 1h ago
> Is it rich people intentionally being cruel to everybody else?
If you got a $240,000 bonus in the mid-2000s in tech, that very likely means you were living in one of the tech metros (SF, NYC) and you could expect nearly 50% of that to be paid in taxes (CA/Fed, NY/NYC/Fed). So you take home about $120,000.
It's a windfall of money to be sure. But being in an employment situation where even such a bonus is possible likely means you already have significantly higher costs than the average person. Maybe you'll pay down some student loans and bolster your savings. But this is far from being "rich". High-earners also tend to have high costs of living.
jynelson · 42m ago
tech salaries in the US are high enough that this is approximately 1-3 years of income as a lump sum. more than that, if you got this amount as a bonus you already have stupid money.
of course $140k would be life changing for most people. but OP, and i suspect most of the other commenters, are not in that situation.
tonyhart7 · 1h ago
this is just US people culture, its all about money and taxes
they should worrying their budget when they have 1 trillion to fund war machine
robin_reala · 3h ago
In Sweden, assuming that $125k of that disappears in taxes, it’d leave you with 1.2M SEK. There are currently ~650 properties on Hemnet between 1M and 1.25M. I’d suggest maybe this one in Ödeshög at 1.1M SEK? https://www.hemnet.se/bostad/villa-3rum-odeshog-odeshogs-kom... Not the biggest, but it’s reasonably well done up, comes with 2/3rds of an acre of land, is near a main motorway to get to places, and near the shore of the biggest lake in the country. If you want to take a train then it’s 30 minutes drive to the nearest station on the Stockholm-Copenhagen line.
mkagenius · 4h ago
Impressive speed on rewarding as well. Around 4 weeks.
Lot of companies will sit for months just to acknowledge your submission.
matsemann · 5h ago
Is there somewhere explaining this bug in terms understandable for someone not dabbling in this?
I don't really understand how this works to "escape the sandbox". Normally it's like a website you visit that get access it shouldn't have. But this talk about renderers and native apis make it seem like it's stuff another process on the computer would do?
Retr0id · 5h ago
First you compromise the renderer process via e.g. a bug in the JS engine. But even if you have native code execution in the context of the renderer process, you're still in a sandbox.
The bug in the OP is for the second stage - breaking out of the sandbox.
The referenced `patch.diff` is basically for simulating a compromised renderer.
matsemann · 5h ago
Ah, so it's like a two stage rocket, this turns a small exploit into a humongous one?
tetha · 4h ago
Or an escape room, indeed.
Once you're thinking along the lines of "Alright, if I had some order of flags, I could solve that thing over there. If I knew some kind of weights, I could solve that over there. And if I could find a light bulb I could deal with that over there", you're kinda in the mindset of finding an exploitation chain.
It's just that in the security world, it's more about bad memory accesses, confusing programs into doing the right actions with wrong files, file permissions being weird and such.
Retr0id · 1h ago
Sorta, although I wouldn't necessarily call the first exploit "small", it's at least equally important in the overall chain. "Chain" being the more usual metaphor, for this reason.
baobabKoodaa · 4h ago
This sounds like a good way to think about exploit chains (though I'm not an expert)
kristianp · 1h ago
> The referenced `patch.diff` is basically for simulating a compromised renderer.
The patch.diff part is hard to understand. Surely if you have a compromised renderer, you have effectively full access to the machine already?
saagarjha · 1h ago
Modern browsers have multiple processes with different sandbox policies. The renderer process handles untrusted web content and is heavily sandboxed. The browser process does all the other stuff required to interact with your computer (and is generally much less isolated).
Retr0id · 1h ago
No, because of the sandbox.
krtkush · 5h ago
How does one start acquiring skills like these?
WalterBright · 5h ago
Spending a lot of time debugging code. Eventually, the pattern recognizer in your brain will pick out the bugs. The term for this is "code smell".
For example, when I'd review C code I'd look at the str???() function use. They are nearly always infested with bugs, usually either neglecting to add a terminator zero or neglecting to add sufficient storage for the terminating zero.
jve · 4h ago
It is crazy that anytime someone works on application layer and wants to manipulate string, which is a very, very common thing to do when writing application, one has to consider \0 which would be an implementation detail.
How can that language still be so popular?
saagarjha · 1h ago
Programming is the consideration of implementation details. When you manipulate strings in C you consider the terminating nul byte just like when you manipulate strings in Python you consider how its stores codepoints or when you manipulate strings in Swift you think about grapheme clusters. There is no free lunch. (Though, of course, you can get reduced price lunches based on the choices you make!)
uecker · 3h ago
The language is just fine. The real question is: Why do people not use a string library that abstracts this away safely?
saagarjha · 1h ago
Why does the language not make one?
tonyhart7 · 1h ago
because at that time, C creator didn't know thing would evolve into the future. after all computer is a new thing
saagarjha · 1h ago
Ok, but the question asks why one isn't made today.
uecker · 51m ago
There are many string libraries.
saagarjha · 49m ago
As you can expect, the answer to your question is the obvious one.
eska · 2h ago
Lots of C applications nowadays don’t actually use any of the str functions or null termination.
avar · 3h ago
Because whatever language you think should be popular instead is running on a mountain of C code, but the reverse isn't true.
AlienRobot · 3h ago
Okay, I want to make a desktop app that runs on Linux. Which language should I use? Java?
jve · 3h ago
That questions is kind of the point I want to make. We live in 2025 and C is still an option for new applications, i.e wrong abstraction layer for application level development.
No doubt there are valid reasons to use it, that is just the state of things they are unfortunately.
rkomorn · 3h ago
Some current trendy options would be Kotlin (with Kotlin Multiplatform) or C# (with Avalonia UI).
Edit: I guess I should've at least asked myself if the question was rhetorical.
I get the feeling these kind of skills are very rare because they fall in the category "understanding and debugging other people code/mess", while most people prefer to build new things (and often struggle to debug their own work).
It takes a lot a passion and dedication to security and reverse engineering to get there.
mdaniel · 5h ago
Practice, and having supernatural perseverance (although probably not in that order)
I'd guess the curriculum is half reverse engineering and half reading any write-ups to see the attacks and areas of attack for inspiration
I didn’t get anything for my JavaScript recursive reference failure defect report a decade ago, but then it also wasn’t a sev1 security compromise defect either.
colbyn · 5h ago
Suppose someone wanted to dive into other projects with the ambition of finding high value bugs. Besides chromium what would you recommend or consider? What would be your thought process for deciding what projects to look into?
kafrofrite · 5h ago
The answer to your question is WebKit (because iOS), kernels (XNU, Linux, Windows) etc. In case you are not familiar with the domain I'd start with user-space exploitation and relevant write ups to get my feet wet. You'll find plenty of write ups, blogs etc. so I'll skip those.
Some of the books I generally found interesting are [1],[2], [3]. There's more to that, including fundamental concepts of CS (e.g., compilers and optimization in JITs, OS architecture etc.). I believe also https://p.ost2.fyi/dashboard has some relevant training.
Bugs are "High value" in different ways, you have to find the companies willing to pay highly. Most of the high payers are on bug bounty programs (like hackerone.com) and don't always give you ability to talk about bugs later.
Google is quite unique here, particularly given Chrome is paying easily 10x what Mozilla would for a sandbox escape. Apple is in the middle -- per [1] a "WebContent sandbox escape" would be $50k, but to get $250k on their scale you need to combine that with a kernel bug.
So if you want to optimise for "value", you have to pick the targets that are easier (still not easy, obviously).
I wonder how much the black market would pay for an exploit like that - anyone know?
defraudbah · 2h ago
not 250k for sure :)
Google security team is really good, however sometimes things are controversial because certain bugs gets ignored in MS-way which is famous for not paying/not fixing.
ertucetin · 2h ago
Does this mean engineers of Google can't fix it?
saagarjha · 1h ago
No, it was fixed after it was reported.
OutOfHere · 5h ago
It is unfortunate that there is no web browser in a memory safe language. As I understand, both Chromium and Firefox use C++, although Firefox partly uses Rust. This has put billions of people at risk.
acer4666 · 5h ago
This post is about a logic bug that could have happened in any language
PhilipRoman · 4h ago
One of the biggest security holes is the JIT engine, rewriting it in Rust or any other language wouldn't make a difference, since it is effectively an inner platform.
qcnguy · 5h ago
This bug is a logic error iiuc so language wouldn't help.
camdroidw · 4h ago
Servo project is active and probably usable in a year or two (but as others have said this bug is different)
BillLumbergh · 2h ago
Google have money to burn though.
MrGilbert · 5h ago
"Decent." was the first word that came into my mind. After a second, I realized that 250,000 USD ist basically 0.00022 % of Alphabet's (Google's?) annual net income [0].
A life changing amount of money for an individual, but nothing more than a small blip on Google's charts. Of course, I'm aware of "budgets" and "departments", and that one simply does not move funds between departments. And while my mind is on the verge of "maybe they should have paid more?", the numbers would mean that even 10x the sum would move the percentage by one decimal. It's wild how much money big corporations have.
I highly applaud the researcher for their tremendous amount of skill and dedication.
How much Alphabet makes is almost irrelevant. The incentive here should be for security researchers. As long as there's enough incentive for security researchers to continue to report the bugs they find (which must be balanced against the potential payment a criminal could get if exploiting the bug, which is not directly correlated to the company's income either, at least not necessarily), the payment is appropriate.
NitpickLawyer · 5h ago
To be fair, goog has to pay comparable to other 3rd party brokers, and not necessarily "potential payment by exploiting the bug". Finding an exploit and being able to deploy it for financial gains are two distinct problems, with separate skillsets, risks, etc.
Plus there are some other benefits of disclosing to goog. After you get into VRP you get access to grants & stuff and can basically ask to study a problem and get funded for that effort. Being able to blog about it, pad your experience, etc etc. All while not having to look over your shoulder for 3 letter agencies your whole life :)
sneak · 4h ago
You think state intelligence agencies don’t hack whitehats for their 0days?
You know there’s ongoing and plausible efforts by at least 3 organizations to conquer the Earth, right?
MrGilbert · 5h ago
> How much Alphabet makes is almost irrelevant.
While I embrace the downvotes, I disagree. From my pov, the amount of money paid should factor in the anticipated risk for your business. If a privilege escalation means that Google takes a massive hit in Ad Revenue, than this should be factored in.
UncleMeat · 41m ago
Why would it affect ad revenue?
An exploit like this would be abused by somebody who sets up a malicious website to try to take control over somebody's device or otherwise steal secrets from them like keys for cryptocurrencies. These attacks tend to be targeted. Nobody is using an exploit like this to create an ad blocker or even to do ad fraud.
The only risk to revenue here is reputational, and I think that it is likely that the existence of this bug would be less widely known if the bounty program didn't exist and the bug was sold on the black market.
ang_cire · 4h ago
> the amount of money paid should factor in the anticipated risk for your business. If a privilege escalation means that Google takes a massive hit in Ad Revenue, than this should be factored in.
Given this exploit, that would probably lower the payout. There are absolutely tons more sandbox escapes in Chromium engine right now (here's a fun list of previous ones, none of which cost them ad rev[1]), and they're not adversely affecting Google's ad revenue. No company is pulling ads because Chrome has a vuln.
This wouldn't even be the kind of reputational hit that something like SolarWinds was.
So someone found a way to exploit Chrome. Should Google now cash you out some dividends they got from Ads, YouTube, GCP, Pixel, Android and Waymo so they can really feel that it costs them an arm and a leg?
Suddenly incentives are there to apply as a Chrome developer is more lucrative than CxO position because one can produce bugs for friends to find.
bapak · 5h ago
What's your suggestion exactly? Making anyone who can find a bug a millionaire? That's ridiculous. 250k is already insanely high.
You make a bunch money too, should you pay $100 for that taco? It's nothing to you.
MrGilbert · 5h ago
> You make a bunch money too, should you pay $100 for that taco? It's nothing to you.
Looking at my yearly net income, paying 100$ for a single taco in a year would mean that 0.26% of my net income would go into a taco. Paying 0.1$ for a single taco would make it 0.00026%. According to the consensus in this comment section, that would be pretty gracious. Yes, that's where I'm going with this.
//Edit: Thanks at postflopclarity for pointing out my wrong math.
postflopclarity · 4h ago
so you make $5 million / year but you're still incredulous at
> It's wild how much money big corporations have.
?
MrGilbert · 4h ago
I was wondering why my math wasn't mathing, but was too busy to earn money at the same time. Thanks for pointing it out, fixed! Now my statement makes way more sense.
TheDong · 4h ago
Yeah, assuming the people working at the taco shop aren't very well off the taco should cost $100 for a software engineer, $80M for Jeffrey Bezos, and $4 for someone down on their luck.
If we wanted, we could make this more efficient by giving out free healthcare and housing to people, proportional to their need, and tax $95 from the software engineer, $80M from Bezos, and $0 from someone down on their luck.
Progressive Tacos does sound better than Progressive taxation, and it would probably work better because rich people dodge taxes all the time, but come on, who doesn't want to eat tacos?
We (software engineers) won't have proper empathy for the poor until we go into an apple store and the price tag on the iPhone is "20% of your net worth".
bapak · 4h ago
Right. So why work when everything is priced according to your worth? I'll stay in my $2 rent and free food delivery for life. Thank you.
pydry · 5h ago
Equal to the black market price.
Anything less is an incitement to allow exploits to be used in the wild.
bapak · 4h ago
That's a different argument. Price it for its worth, not for my worth.
scarab92 · 5h ago
These types of comparisons are illogical.
There’s little relationship between the net income of a company and what is an appropriate bug bounty, especially a company as diversified as alphabet.
renewiltord · 5h ago
Indeed, one of the great tragedies of life is that this happens. Humans cannot survive without water, yet the median water bill is $80, which is about 1% of the median household's income. People make so much money but refuse to pay for something that literally sustains their life. Join me in requiring that every household at least 10x the amount they pay for this precious water. To employees of water companies: Thank you for your service.
lmz · 5h ago
Have you also considered how much humans ought to be paying the trees for their Oxygen? I may look into buying some shares in those trees if they are available.
MrGilbert · 4h ago
It's fun to twist the rules and put "business life" and "human life" on the same level, innit?
renewiltord · 3h ago
Indeed, I think human life is so much more precious and yet we barely even pay for something critical to it. Embarrassing.
[1] https://bughunters.google.com/about/rules/chrome-friends/574...
[2] https://www.mozilla.org/en-US/security/client-bug-bounty/
Sounds fine to me.
[0]: https://en.wikipedia.org/wiki/Mozilla_Corporation
//Edit: Had a typo in my percentage. 20.000 of 157.000.000 is, indeed, 0.012% - that makes it 50x the amount of Google's percentage.
[1]: https://news.ycombinator.com/item?id=24132168
The payment will stop immediately if Google thinks it's no longer needed, or if federal prosecutors (who have determined this payment is illegal) decide the remedy is to stop the payment. [1]
The CEO's job is simple. Say "I think we should take Google's money again this year", and then pocket several million of it. Ca-ching! What are your plans for post-Google-money? Uh uh... AI? Sell out our users to advertisers? [2] It's not looking good.
The Firefox market share continues to dwindle. The board continues to hob-nob with San Francisco socialites and "activists" and use Mozilla as a piggybank to fund their chums. Mitchell Baker did not leave the gravy train by stepping down as CEO, she merely moved to a different seat on the gravy train - chair of the Mozilla Foundation, where her salary is less visible.
[0] https://en.wikipedia.org/wiki/Mozilla_Corporation#Finances
[1] https://www.bloomberg.com/news/articles/2024-08-05/google-lo...
[2] https://news.ycombinator.com/item?id=43185909
Mitchell has not been a member of the Mozilla Foundation or Mozilla Corporation boards since February 2025.
https://blog.mozilla.org/en/mozilla/mozilla-leadership-growt...
Virtually all of Mozilla's income comes from the browser (via the Google search agreement). The vast majority of Google's revenue comes from ad revenue on search, YouTube, and Adsense. Not from Chrome directly. So they had less incentive to reward its security, but did so anyway. And they also do some of the best work in the industry, free, for competitors via Project Zero.
No comments yet
Surely a bug on Chrome is worth more than a bug on Firefox.
That is why you see equivalent skill levels being paid differently in big tech compared to other places.
And why you see millions in salaries at some big techs Ai hiring.
It's really no secret that higher revenue means higher potential pay/more devs...
How much of the Mozilla foundation's income goes into product development nowadays?
* Or basically just compare black market prices which already taken the above 3 into account
Won't complain about that.
Is monetary expenditure on vulnerability payouts really the primary determinent of who's taking security more seriously, by the way? Sounds a bit backwards to me.
Yup, clearly Mozilla.
$250k is loose change for Google.
Now, with EDR widely deployed it's likely that the exploit usage ends up being caught sooner than later, but pretty sure some dictatorship intelligence agency would have found all those journalists deep compromise worthwhile...
How?
I've been paid by bug bounties (although not that big) and I have no idea how I would find a trustworthy criminal to sell to.
I guess I'd need to find a forum? Unless my opsec is exemplary then I'm risking being exposed. I'd need to vet that the buyer would actually pay me and not just steal it from me. Even if they do pay me, I'd be worried that they'd blackmail me or try to extract something from me. But assuming they're good black-marketeers, I still have to explain to the authorities where this large amount of cash came from.
So how do I go about selling to the black market in a safe way?
Oh, and I don't get to write a blog post about the bug or get my name in front of other researchers and recruiters. That can be worth a huge amount - both in cash and reputation.
Or just sell it to the israelis.
There are companies that specialize in getting grey market bugs in important software, ie browsers and OSes. They are repwat players and have a reputation to actually pay out.
Yes, maybe the exploit could likely be modified to be more reliable. That's more work though.
How much of a premium are they paying to make it worthwhile?
You can find some by researching. AIUI most intros are via personal connections. I'd be wary of the potential ethical implications. There is more than money to life.
Sure, I'd say the "sell it elsewhere" stuff is always a bit overly optimistic but due to the nature of this specific exploit I am pretty sure you could find a buyer offering good compensation.
Getting paid in cryptocurrency isn't necessarily a dodge either because even if you claim you mined it or something, the authorities have got wise to this a while ago IIUC and will expect to see evidence to back that claim up too.
...come to think of it, how does that work? Aren't the most important exploits to patch the ones being actively used in the wild?
In other words, how do they avoid someone playing both sides? "I found an exploit being used by the LEETH4X0R malware [which was in fact created by the guy I sold this exploit to] to steal people's gmail cookies."
You'd have to find out about LEETH4X0R before other researchers, but of course, you'd have a head start.
Yes they will.
Honestly I’d be more worried about crossing the blackhats.
Security services tend to anonymously report security flaws they use after use against any high value target, since they don't want the opponent using those same flaws back at them.
You'll think of something. If you can hack one system, you can hack another.
$250k fully legally and with recognition is probably a good incentive not to bother. White hats have their privileges.
Your hookers and blow dealers won't report you to the taxman.
lol
Hello Defcon!
https://issues.chromium.org/issues/412578726#comment26
Back in ye olden days of 2014 I randomly stumbled upon a Chrome issue (wasn't trying to find bugs, was just writing some JavaScript code and noticed a problem) and reported it to Google and they paid me $1,500. Not bad for like half an hour's work to report the issue.
https://issues.chromium.org/issues/40078754
I read from one security researchers somewhere that professionals wouldn’t find enough bug bounty worthy problems in high enough frequency to pay their bills. So they’ll sometimes treat things like this more as a supplement to promote their CV rather than as a job itself.
It was not a down payment on a house in LA/SF/NYC. it was not enough to start a company and hire people. If I’d changed my life style to be like a college student and live with roommates then it might have given me 2-3 years of student lifestyle but I was 34 and not prepared to go back to student lifestyle
To be honest it was super disappointing. Of course getting a $240k bonus is a privilege. My only point was it didn’t change my life like I thought it would.
And, that was 25 years ago. today, even a million ($600k after taxes) in those 3 cities won’t likely change your life. Maybe you could put a down payment on a house or pay for your kids college tho but it not the freedom I thought it would be
>>won’t likely change your life. Maybe you could put a down payment on a house or pay for your kids college tho but it not the freedom I thought it would be
How is being able to put a down paymenent on a house or being able to send your kids to collage debt-free not life changing?
Because neither of those are going to change your daily life that much? It simplifies a thing or two, but neither of those things are life-changing.
There's a lot of people who can't even imagine ever being able to put down a deposit on a house or to send their kids to collage debt-free. With an amount of money like that you can go from being trapped in a rent hell forever to actually purchasing your own house. Or you can give your kids the education you want to give them. They are major, life changing impacts. Again, to describe it as "simplifes a thing or two" to me implies that you could do them even without this money in which case yeah, it changes very little.
I have a hard time seeing it as life changing for me, having a decent paying job (not silicon valley developer scale) in a expensive country. Ofc if I was having a low paying career without that many perspective my outlook might differ.
I dont live a place where you pay for your kids being in college so I cant speak for that part.
It's "I can probably stop worrying about money for a while" kind of money, not "life-changing" money. Not a whole lot you can buy for $250k. After taxes, that probably doesn't even buy a house.
If you got a $240,000 bonus in the mid-2000s in tech, that very likely means you were living in one of the tech metros (SF, NYC) and you could expect nearly 50% of that to be paid in taxes (CA/Fed, NY/NYC/Fed). So you take home about $120,000.
It's a windfall of money to be sure. But being in an employment situation where even such a bonus is possible likely means you already have significantly higher costs than the average person. Maybe you'll pay down some student loans and bolster your savings. But this is far from being "rich". High-earners also tend to have high costs of living.
of course $140k would be life changing for most people. but OP, and i suspect most of the other commenters, are not in that situation.
Lot of companies will sit for months just to acknowledge your submission.
I don't really understand how this works to "escape the sandbox". Normally it's like a website you visit that get access it shouldn't have. But this talk about renderers and native apis make it seem like it's stuff another process on the computer would do?
The bug in the OP is for the second stage - breaking out of the sandbox.
The referenced `patch.diff` is basically for simulating a compromised renderer.
Once you're thinking along the lines of "Alright, if I had some order of flags, I could solve that thing over there. If I knew some kind of weights, I could solve that over there. And if I could find a light bulb I could deal with that over there", you're kinda in the mindset of finding an exploitation chain.
It's just that in the security world, it's more about bad memory accesses, confusing programs into doing the right actions with wrong files, file permissions being weird and such.
The patch.diff part is hard to understand. Surely if you have a compromised renderer, you have effectively full access to the machine already?
For example, when I'd review C code I'd look at the str???() function use. They are nearly always infested with bugs, usually either neglecting to add a terminator zero or neglecting to add sufficient storage for the terminating zero.
How can that language still be so popular?
No doubt there are valid reasons to use it, that is just the state of things they are unfortunately.
Edit: I guess I should've at least asked myself if the question was rhetorical.
It takes a lot a passion and dedication to security and reverse engineering to get there.
I'd guess the curriculum is half reverse engineering and half reading any write-ups to see the attacks and areas of attack for inspiration
[1] https://nostarch.com/zero-day
[2] https://nostarch.com/hacking2.htm
[3] https://ia801309.us.archive.org/26/items/Wiley.The.Shellcode...
Google is quite unique here, particularly given Chrome is paying easily 10x what Mozilla would for a sandbox escape. Apple is in the middle -- per [1] a "WebContent sandbox escape" would be $50k, but to get $250k on their scale you need to combine that with a kernel bug.
So if you want to optimise for "value", you have to pick the targets that are easier (still not easy, obviously).
[1]: https://security.apple.com/bounty/categories/
Google security team is really good, however sometimes things are controversial because certain bugs gets ignored in MS-way which is famous for not paying/not fixing.
A life changing amount of money for an individual, but nothing more than a small blip on Google's charts. Of course, I'm aware of "budgets" and "departments", and that one simply does not move funds between departments. And while my mind is on the verge of "maybe they should have paid more?", the numbers would mean that even 10x the sum would move the percentage by one decimal. It's wild how much money big corporations have.
I highly applaud the researcher for their tremendous amount of skill and dedication.
[0] https://www.reddit.com/r/google/comments/1lh0pl4/google_is_n...
Plus there are some other benefits of disclosing to goog. After you get into VRP you get access to grants & stuff and can basically ask to study a problem and get funded for that effort. Being able to blog about it, pad your experience, etc etc. All while not having to look over your shoulder for 3 letter agencies your whole life :)
You know there’s ongoing and plausible efforts by at least 3 organizations to conquer the Earth, right?
While I embrace the downvotes, I disagree. From my pov, the amount of money paid should factor in the anticipated risk for your business. If a privilege escalation means that Google takes a massive hit in Ad Revenue, than this should be factored in.
An exploit like this would be abused by somebody who sets up a malicious website to try to take control over somebody's device or otherwise steal secrets from them like keys for cryptocurrencies. These attacks tend to be targeted. Nobody is using an exploit like this to create an ad blocker or even to do ad fraud.
The only risk to revenue here is reputational, and I think that it is likely that the existence of this bug would be less widely known if the bounty program didn't exist and the bug was sold on the black market.
Given this exploit, that would probably lower the payout. There are absolutely tons more sandbox escapes in Chromium engine right now (here's a fun list of previous ones, none of which cost them ad rev[1]), and they're not adversely affecting Google's ad revenue. No company is pulling ads because Chrome has a vuln.
This wouldn't even be the kind of reputational hit that something like SolarWinds was.
[1]: https://github.com/allpaca/chrome-sbx-db
Suddenly incentives are there to apply as a Chrome developer is more lucrative than CxO position because one can produce bugs for friends to find.
You make a bunch money too, should you pay $100 for that taco? It's nothing to you.
Looking at my yearly net income, paying 100$ for a single taco in a year would mean that 0.26% of my net income would go into a taco. Paying 0.1$ for a single taco would make it 0.00026%. According to the consensus in this comment section, that would be pretty gracious. Yes, that's where I'm going with this.
//Edit: Thanks at postflopclarity for pointing out my wrong math.
> It's wild how much money big corporations have. ?
If we wanted, we could make this more efficient by giving out free healthcare and housing to people, proportional to their need, and tax $95 from the software engineer, $80M from Bezos, and $0 from someone down on their luck.
Progressive Tacos does sound better than Progressive taxation, and it would probably work better because rich people dodge taxes all the time, but come on, who doesn't want to eat tacos?
We (software engineers) won't have proper empathy for the poor until we go into an apple store and the price tag on the iPhone is "20% of your net worth".
Anything less is an incitement to allow exploits to be used in the wild.
There’s little relationship between the net income of a company and what is an appropriate bug bounty, especially a company as diversified as alphabet.