Google paid a $250K reward for a bug

According to Wikipedia, that's 0.012% of their net income. [0] While I'm being told in the comments that this is not the way to look at it, it means that this is, percentage wise, 50x the amount that Google is paying.

Sounds fine to me.

[0]: https://en.wikipedia.org/wiki/Mozilla_Corporation

//Edit: Had a typo in my percentage. 20.000 of 157.000.000 is, indeed, 0.012% - that makes it 50x the amount of Google's percentage.

Have you looked at the financial health of the one company vs the other? I am pretty sure Google is making more than 10x the money Mozilla is making.

* Compare income * Compare market share * Compare market share normalised by likelihood of attack yielding benefit, in short-- fx users would be power users probably more likely to have other ways to mitigate an attack

* Or basically just compare black market prices which already taken the above 3 into account

Tells you who is more serious about security. A quarter of $1M is a fair price for this type of bug.

Won't complain about that.

Selling something to the black market doesn't magically make it tax free. It's almost the opposite. The money is going to show up in your auditable accounts sooner or later, so it's best to pay tax on it, but you'll also have to come up with a fake but auditable story of where it came from, meaning you'll have to engage the services of professional money launderers. They will also take a cut. So, it's like paying tax twice.

Getting paid in cryptocurrency isn't necessarily a dodge either because even if you claim you mined it or something, the authorities have got wise to this a while ago IIUC and will expect to see evidence to back that claim up too.

> pretty sure it he could have gotten more tax free on the black market.

How?

I've been paid by bug bounties (although not that big) and I have no idea how I would find a trustworthy criminal to sell to.

I guess I'd need to find a forum? Unless my opsec is exemplary then I'm risking being exposed. I'd need to vet that the buyer would actually pay me and not just steal it from me. Even if they do pay me, I'd be worried that they'd blackmail me or try to extract something from me. But assuming they're good black-marketeers, I still have to explain to the authorities where this large amount of cash came from.

So how do I go about selling to the black market in a safe way?

Oh, and I don't get to write a blog post about the bug or get my name in front of other researchers and recruiters. That can be worth a huge amount - both in cash and reputation.

Why not collect from both of the sources? First collect with your black hat and then with your white.

What if people start asking questions where you got the million dollars from? I've never understood how those presumably illegal markets can function with such large sums involved.

This is true for all crime.

Not really tax free lol! In both cases you arent getting withholding so you need to declare it.

Finding issues in large complex projects is generally easier than smaller projects. More code, more bugs. But its still difficult to find serious issues on the level of a sandbox escape in Chromium just because Google's long-running reward system means lots of people have spent lots of time looking into it, both manually and using automated fuzzer tools.

Back in ye olden days of 2014 I randomly stumbled upon a Chrome issue (wasn't trying to find bugs, was just writing some JavaScript code and noticed a problem) and reported it to Google and they paid me $1,500. Not bad for like half an hour's work to report the issue.

https://issues.chromium.org/issues/40078754

I feel like it's the opposite. In a huge project there's bound to be many weird interactions between components, and it's about picking the important/security relevant ones and finding edge cases. In this case the focus was on the interaction between the renderer process and the broker. That forms a security boundary so it makes sense to focus your efforts there - google will pay for such exploits since they can in theory, when combined with other exploits in the renderer process, lead directly to exploits that can be triggered just by opening a web page. So, yes, chrome is a huge project but the list of security-relevant locations to probe actually isn't actually all that long. That's not to diminish the researchers work, it still takes an insane amount of skill to find these issues.

the first time I got a bonus that big, $240k, I thought it would be life changing. the gov took $100k in taxes. I paid off my car $20k. then when I really thought about it there wasn’t much I could do.

It was not a down payment on a house in LA/SF/NYC. it was not enough to start a company and hire people. If I’d changed my life style to be like a college student and live with roommates then it might have given me 2-3 years of student lifestyle but I was 34 and not prepared to go back to student lifestyle

To be honest it was super disappointing. Of course getting a $240k bonus is a privilege. My only point was it didn’t change my life like I thought it would.

And, that was 25 years ago. today, even a million ($600k after taxes) in those 3 cities won’t likely change your life. Maybe you could put a down payment on a house or pay for your kids college tho but it not the freedom I thought it would be

Depends on where in the world you are. I wouldn't call $250k life-changing-money anywhere developed.

It's "I can probably stop worrying about money for a while" kind of money, not "life-changing" money. Not a whole lot you can buy for $250k. After taxes, that probably doesn't even buy a house.

First you compromise the renderer process via e.g. a bug in the JS engine. But even if you have native code execution in the context of the renderer process, you're still in a sandbox.

The bug in the OP is for the second stage - breaking out of the sandbox.

The referenced `patch.diff` is basically for simulating a compromised renderer.

Spending a lot of time debugging code. Eventually, the pattern recognizer in your brain will pick out the bugs. The term for this is "code smell".

For example, when I'd review C code I'd look at the str???() function use. They are nearly always infested with bugs, usually either neglecting to add a terminator zero or neglecting to add sufficient storage for the terminating zero.

Practice, and having supernatural perseverance (although probably not in that order)

I'd guess the curriculum is half reverse engineering and half reading any write-ups to see the attacks and areas of attack for inspiration

I get the feeling these kind of skills are very rare because they fall in the category "understanding and debugging other people code/mess", while most people prefer to build new things (and often struggle to debug their own work).

It takes a lot a passion and dedication to security and reverse engineering to get there.

Read the blogs of the guys creating the bugs.

The answer to your question is WebKit (because iOS), kernels (XNU, Linux, Windows) etc. In case you are not familiar with the domain I'd start with user-space exploitation and relevant write ups to get my feet wet. You'll find plenty of write ups, blogs etc. so I'll skip those. Some of the books I generally found interesting are [1],[2], [3]. There's more to that, including fundamental concepts of CS (e.g., compilers and optimization in JITs, OS architecture etc.). I believe also https://p.ost2.fyi/dashboard has some relevant training.

[1] https://nostarch.com/zero-day

[2] https://nostarch.com/hacking2.htm

[3] https://ia801309.us.archive.org/26/items/Wiley.The.Shellcode...

Bugs are "High value" in different ways, you have to find the companies willing to pay highly. Most of the high payers are on bug bounty programs (like hackerone.com) and don't always give you ability to talk about bugs later.

Google is quite unique here, particularly given Chrome is paying easily 10x what Mozilla would for a sandbox escape. Apple is in the middle -- per [1] a "WebContent sandbox escape" would be $50k, but to get $250k on their scale you need to combine that with a kernel bug.

So if you want to optimise for "value", you have to pick the targets that are easier (still not easy, obviously).

[1]: https://security.apple.com/bounty/categories/

This post is about a logic bug that could have happened in any language

One of the biggest security holes is the JIT engine, rewriting it in Rust or any other language wouldn't make a difference, since it is effectively an inner platform.

This bug is a logic error iiuc so language wouldn't help.

Servo project is active and probably usable in a year or two (but as others have said this bug is different)

How much Alphabet makes is almost irrelevant. The incentive here should be for security researchers. As long as there's enough incentive for security researchers to continue to report the bugs they find (which must be balanced against the potential payment a criminal could get if exploiting the bug, which is not directly correlated to the company's income either, at least not necessarily), the payment is appropriate.

So someone found a way to exploit Chrome. Should Google now cash you out some dividends they got from Ads, YouTube, GCP, Pixel, Android and Waymo so they can really feel that it costs them an arm and a leg?

Suddenly incentives are there to apply as a Chrome developer is more lucrative than CxO position because one can produce bugs for friends to find.

What's your suggestion exactly? Making anyone who can find a bug a millionaire? That's ridiculous. 250k is already insanely high.

You make a bunch money too, should you pay $100 for that taco? It's nothing to you.

These types of comparisons are illogical.

There’s little relationship between the net income of a company and what is an appropriate bug bounty, especially a company as diversified as alphabet.

Indeed, one of the great tragedies of life is that this happens. Humans cannot survive without water, yet the median water bill is $80, which is about 1% of the median household's income. People make so much money but refuse to pay for something that literally sustains their life. Join me in requiring that every household at least 10x the amount they pay for this precious water. To employees of water companies: Thank you for your service.