He had a pretty reliable exploit on the most used browser, pretty sure it he could have gotten more tax free on the black market.
Now, with EDR widely deployed it's likely that the exploit usage ends up being caught sooner than later, but pretty sure some dictatorship intelligence agency would have found all those journalists deep compromise worthwhile...
> pretty sure it he could have gotten more tax free on the black market.
How?
I've been paid by bug bounties (although not that big) and I have no idea how I would find a trustworthy criminal to sell to.
I guess I'd need to find a forum? Unless my opsec is exemplary then I'm risking being exposed. I'd need to vet that the buyer would actually pay me and not just steal it from me. Even if they do pay me, I'd be worried that they'd blackmail me or try to extract something from me. But assuming they're good black-marketeers, I still have to explain to the authorities where this large amount of cash came from.
So how do I go about selling to the black market in a safe way?
Oh, and I don't get to write a blog post about the bug or get my name in front of other researchers and recruiters. That can be worth a huge amount - both in cash and reputation.
Mostly the best market is intelligence agency vendors. As a US citizen, I would only be comfortable selling to US contractors. There are a bunch; if you go to conferences you probably meet the people there (look at the sponsors...).
It won't be tax-free, though; you'd probably get a 1099, but if you're smart could set it up as corp to corp and deduct a bunch of other expenses from it. Part of the sale is signing a bunch of NDAs, etc so you can't then release it to others.
There are companies that specialize in getting grey market bugs in important software, ie browsers and OSes. They are repwat players and have a reputation to actually pay out.
Thats what trusted middle men are for, instead of gaining rep among infosec posers on twitter you build rep under your anonymous alias. This is nothing new.
Selling something to the black market doesn't magically make it tax free. It's almost the opposite. The money is going to show up in your auditable accounts sooner or later, so it's best to pay tax on it, but you'll also have to come up with a fake but auditable story of where it came from, meaning you'll have to engage the services of professional money launderers. They will also take a cut. So, it's like paying tax twice.
Getting paid in cryptocurrency isn't necessarily a dodge either because even if you claim you mined it or something, the authorities have got wise to this a while ago IIUC and will expect to see evidence to back that claim up too.
The money itself might not be dirty, couldn’t you just claim something like “I sold a secret, highly valuable algorithm to this guy”? Tax would still need to be paid of course
Everybody here is coldly evaluating the financial profit comparison. How about being a decent human being, and not enabling hundreds of criminals to hurt millions of people because your net income is potentially better?
People are fixated, across this thread, on a black market of organized criminals buying vulnerabilities, but for the most part criminals aren't the real alternative market buyers for high-end vulnerabilities, and while people on message boards may incline towards viewing IC and LEO agencies as themselves criminal, I think you'll find a pretty substantial fraction of normal people find supplying IC/LEO agencies as more than just decent; praiseworthy, even.
That thorny ethical issue aside, I'm fond of pointing out that the IC's main alternative to CNE intelligence collection is human intelligence, and the cost of HUMINT simply in employee benefits dwarfs any near-term possible cost of exploit enablement packages; 7 figures is a pittance (remember: most major western governments are essentially benefits management organizations with standing armies).
Even given the seemingly vast sums earned by organized crime, government buyers are positioned to decisively outbid crime over the medium term. It's really early days for these markets.
First, it's not "black market" vs. "non-black market"; most remunerative sales outside of bounty programs are grey-market --- mostly lawful, but all under the table, largely because they're to agencies that are protective of their sources and methods.
The mechanism grey-market buyers have to protect their interests against over-selling bugs is tranched payments. Sellers make much of their returns from bugs on the back end through "maintenance agreements", which both require the seller to keep e.g. the offsets in their exploits current and reliable against new patch levels of the target, and also serve to cut off payment once the vendor kills the bug.
If you sell to both sides, you quickly kill the back end business from the grey market buyers. If you sell to too many or too sketchy grey market buyers, the bug leaks --- vendors see it exploited "in the wild", capture samples, kill the bug; same outcome: tranched payments stop.
This is one reason it can make sense to take a bounty payment that is substantially smaller than what a bug might be worth on the market: you get certainty of payment. Another reason is that the bounty program will only want POC code (perhaps proof of reliability in addition to just exploitability), while the market will want a complete enablement package, which is a lot of work.
Black hats will not pay you for an exploit that dies quickly once the white hats get your report. White hats will not pay you for an exploit that you fenced to a black hat agency and showed up in the wild.
Security services tend to anonymously report security flaws they use after use against any high value target, since they don't want the opponent using those same flaws back at them.
An exploit that is used is an exploit that will eventually leave traces that an analyst will look at (if used on a corporate PC)... Either you use it very sparingly on HVT or you end up on the EDR radars and some IOC will be made public eventually.
Yes; this is the one case where there's a liquid market for these kinds of vulnerabilities. The important detail: for these (and only these) bugs, you can sell them multiple times; for instance, firms exist that specialize in selling these bugs and their enablement packages to, say, every law enforcement and intelligence agency in a single country.
What if people start asking questions where you got the million dollars from? I've never understood how those presumably illegal markets can function with such large sums involved.
Why? If you actually exit the sandbox you'll start leaving traces, and eventually you'll slip and be looked at. That's part of the story EDR vendors sell at least.
You can't deny that you are way more likely to burn the exploit using it on a machine under watch than on a machine that is not...
According to Wikipedia, that's 0.012% of their net income. [0]
While I'm being told in the comments that this is not the way to look at it, it means that this is, percentage wise, 50x the amount that Google is paying.
But Chrome is paying more as a percentage of their browser units' income, no?
Virtually all of Mozilla's income comes from the browser (via the Google search agreement). The vast majority of Google's revenue comes from ad revenue on search, YouTube, and Adsense. Not from Chrome directly. So they had less incentive to reward its security, but did so anyway. And they also do some of the best work in the industry, free, for competitors via Project Zero.
Chrome has 15-20 times the users that firefox in the blackmarket the bug would sell for similar ratio. Safari might go for more as it has more rich and tech security illiterate users.
disagree. more marketshare does not mean juicier targets, which, in this case, would be tor users. in addition, you don't buy an exploit to use it en masse, that would get it burned really quickly
It'd be fun to do a sketch that's a montage of an array of HN armchair quarterbacks rolling up their sleeves and taking short-lived shots at CEO for Mozilla.
Marching into the home office, kicking butt, and pointing at the whiteboard for their favorite pet project:
* Mozilla focusing on privacy
* Mozilla focusing on web standards
* Mozilla focusing on speed
* Mozilla (apparently, here) focusing on maximizing the size of payouts for bug bounties
Inspiring, Rocky-style music plays in the background.
In the foreground, a red line continuously traces slowly downward, with no perceivable relationship to the scenes in the montage.
* Compare income
* Compare market share
* Compare market share normalised by likelihood of attack yielding benefit, in short-- fx users would be power users probably more likely to have other ways to mitigate an attack
* Or basically just compare black market prices which already taken the above 3 into account
Really doesn't tell me piss all, as I'm not privy to their respective overall cash flow. Are you, considering you say it does for you?
Is monetary expenditure on vulnerability payouts really the primary determinent of who's taking security more seriously, by the way? Sounds a bit backwards to me.
Is there somewhere explaining this bug in terms understandable for someone not dabbling in this?
I don't really understand how this works to "escape the sandbox". Normally it's like a website you visit that get access it shouldn't have. But this talk about renderers and native apis make it seem like it's stuff another process on the computer would do?
First you compromise the renderer process via e.g. a bug in the JS engine. But even if you have native code execution in the context of the renderer process, you're still in a sandbox.
The bug in the OP is for the second stage - breaking out of the sandbox.
The referenced `patch.diff` is basically for simulating a compromised renderer.
It looks like the bug is that there is a way for the renderer (sandboxed) process to trigger the browser (unsandboxed) process to duplicate an arbitrary windows kernel object handle. When you duplicate a handle, you can restrict access, or allow the duplicate to have full access as the original - unfortunately this one is duplicating preserving all the capabilities/access of the original handle.
Now for the POC exploit - it so happens that 0x108 is typically a thread handle for a thread in the browser process. What can you do with a thread handle? You can pause execution of that thread, set its register values (including instruction pointer), resume execution.
If kernel32.dll loads at the same address in each process, we can find some set of instructions in it that write a register's value to another register's address. If we set the instruction pointer to that instruction, we've unlocked the ability to write arbitrary memory in the unsandboxed process.
Finally, we can call other Windows APIs (by finding the address of the function to call and setting instruction pointer to it)- in the POC, they write "calc.exe" to a string, then call the system api to launch calculator.
the first time I got a bonus that big, $240k, I thought it would be life changing. the gov took $100k in taxes. I paid off my car $20k. then when I really thought about it there wasn’t much I could do.
It was not a down payment on a house in LA/SF/NYC. it was not enough to start a company and hire people. If I’d changed my life style to be like a college student and live with roommates then it might have given me 2-3 years of student lifestyle but I was 34 and not prepared to go back to student lifestyle
To be honest it was super disappointing. Of course getting a $240k bonus is a privilege. My only point was it didn’t change my life like I thought it would.
And, that was 25 years ago. today, even a million ($600k after taxes) in those 3 cities won’t likely change your life. Maybe you could put a down payment on a house or pay for your kids college tho but it not the freedom I thought it would be
Depends where you live. Where I'm from $240k would buy you a really nice house with lots of land, and you'd have money left over.
>>won’t likely change your life. Maybe you could put a down payment on a house or pay for your kids college tho but it not the freedom I thought it would be
How is being able to put a down paymenent on a house or being able to send your kids to collage debt-free not life changing?
225k in 2025 dollars is life changing for anyone in the middle class of income. The reason you were unable to do anything with it is because you were already earning too much.
For you maybe. For someone in debt or who has never ever had a financial safety net, the amount of stress relief from finally having a bit of safety money behind you is mental.
Depends on where in the world you are. I wouldn't call $250k life-changing-money anywhere developed.
It's "I can probably stop worrying about money for a while" kind of money, not "life-changing" money. Not a whole lot you can buy for $250k. After taxes, that probably doesn't even buy a house.
Can somebody help me understand why these obviously very stupid takes keep popping up on HN? Is it rich people who genuinely have no idea what anything costs? Is it rich people intentionally being cruel to everybody else? Is it people trying to appear rich by pretending they have no idea what anything costs? Is it a bay area thing, are people just blowing through a literal fortune every year and unaware of their spending problems? Is it children whose ideas about money come from “influencers”?
In Sweden, assuming that $125k of that disappears in taxes, it’d leave you with 1.2M SEK. There are currently ~650 properties on Hemnet between 1M and 1.25M. I’d suggest maybe this one in Ödeshög at 1.1M SEK? https://www.hemnet.se/bostad/villa-3rum-odeshog-odeshogs-kom... Not the biggest, but it’s reasonably well done up, comes with 2/3rds of an acre of land, is near a main motorway to get to places, and near the shore of the biggest lake in the country. If you want to take a train then it’s 30 minutes drive to the nearest station on the Stockholm-Copenhagen line.
Finding issues in large complex projects is generally easier than smaller projects. More code, more bugs. But its still difficult to find serious issues on the level of a sandbox escape in Chromium just because Google's long-running reward system means lots of people have spent lots of time looking into it, both manually and using automated fuzzer tools.
Back in ye olden days of 2014 I randomly stumbled upon a Chrome issue (wasn't trying to find bugs, was just writing some JavaScript code and noticed a problem) and reported it to Google and they paid me $1,500. Not bad for like half an hour's work to report the issue.
I feel like it's the opposite. In a huge project there's bound to be many weird interactions between components, and it's about picking the important/security relevant ones and finding edge cases. In this case the focus was on the interaction between the renderer process and the broker. That forms a security boundary so it makes sense to focus your efforts there - google will pay for such exploits since they can in theory, when combined with other exploits in the renderer process, lead directly to exploits that can be triggered just by opening a web page. So, yes, chrome is a huge project but the list of security-relevant locations to probe actually isn't actually all that long. That's not to diminish the researchers work, it still takes an insane amount of skill to find these issues.
Finding a problem that deserves a bug bounty reward is a very different beast to just finding quirks.
I read from one security researchers somewhere that professionals wouldn’t find enough bug bounty worthy problems in high enough frequency to pay their bills. So they’ll sometimes treat things like this more as a supplement to promote their CV rather than as a job itself.
Suppose someone wanted to dive into other projects with the ambition of finding high value bugs. Besides chromium what would you recommend or consider? What would be your thought process for deciding what projects to look into?
The answer to your question is WebKit (because iOS), kernels (XNU, Linux, Windows) etc. In case you are not familiar with the domain I'd start with user-space exploitation and relevant write ups to get my feet wet. You'll find plenty of write ups, blogs etc. so I'll skip those.
Some of the books I generally found interesting are [1],[2], [3]. There's more to that, including fundamental concepts of CS (e.g., compilers and optimization in JITs, OS architecture etc.). I believe also https://p.ost2.fyi/dashboard has some relevant training.
Bugs are "High value" in different ways, you have to find the companies willing to pay highly. Most of the high payers are on bug bounty programs (like hackerone.com) and don't always give you ability to talk about bugs later.
Google is quite unique here, particularly given Chrome is paying easily 10x what Mozilla would for a sandbox escape. Apple is in the middle -- per [1] a "WebContent sandbox escape" would be $50k, but to get $250k on their scale you need to combine that with a kernel bug.
So if you want to optimise for "value", you have to pick the targets that are easier (still not easy, obviously).
Spending a lot of time debugging code. Eventually, the pattern recognizer in your brain will pick out the bugs. The term for this is "code smell".
For example, when I'd review C code I'd look at the str???() function use. They are nearly always infested with bugs, usually either neglecting to add a terminator zero or neglecting to add sufficient storage for the terminating zero.
It is crazy that anytime someone works on application layer and wants to manipulate string, which is a very, very common thing to do when writing application, one has to consider \0 which would be an implementation detail.
I get the feeling these kind of skills are very rare because they fall in the category "understanding and debugging other people code/mess", while most people prefer to build new things (and often struggle to debug their own work).
It takes a lot a passion and dedication to security and reverse engineering to get there.
By reading and keeping up with the published work in browser exploit development, replicating it yourself, and then finding you have a knack for spotting vulnerabilities in C++ code.
To add to the sibling comment, there are also many different ways of making a living doing this stuff:
* You can find killer clientside bugs where the bounty will cover a year's worth of compensation (bear in mind you'll get maybe 1.5 of these payouts a year on your own if you're good but replacement-level)
* You can find these kinds of bugs and work with brokers to sell them to grey-market buyers along with enablement/implants --- more development work, a little more market risk.
* You can find smaller, easier bugs (serverside, web bugs) that get nothing resembling these kinds of payouts but are much easier to find, and make good money on volume. This is a much more common way of making a living on bounty payments.
Yes. There are plenty of folks who submit to the company I work for who live in regions of the world that are extremely low cost of living/salary (in USD terms) and most BB programs pay out fixed USD rates. It can be very lucrative.
Although seeing these bugs fixed and getting rewarded for finding them is great, I still think that Microsoft's idea of virtualising the entire browser process was genius. It also feels better than any "lockdown"-like mode that maybe just disables some JIT engine or two.
Grey market, not black. It's been several months since I've talked to anyone in the space but full-chain reliable quiet Chrome exploit packages were high six figures, with discussions starting about bugs reaching 7 figures imminently, and the people I talked to might have been talking that down (or talking it up).
Again, remember that grey market payouts are tranched, so you could get 3x more than Google would pay, or you could get 0.5x, and for much more work.
Google security team is really good, however sometimes things are controversial because certain bugs gets ignored in MS-way which is famous for not paying/not fixing.
I didn’t get anything for my JavaScript recursive reference failure defect report a decade ago, but then it also wasn’t a sev1 security compromise defect either.
It is unfortunate that there is no web browser in a memory safe language. As I understand, both Chromium and Firefox use C++, although Firefox partly uses Rust. This has put billions of people at risk.
One of the biggest security holes is the JIT engine, rewriting it in Rust or any other language wouldn't make a difference, since it is effectively an inner platform.
"Decent." was the first word that came into my mind. After a second, I realized that 250,000 USD ist basically 0.00022 % of Alphabet's (Google's?) annual net income [0].
A life changing amount of money for an individual, but nothing more than a small blip on Google's charts. Of course, I'm aware of "budgets" and "departments", and that one simply does not move funds between departments. And while my mind is on the verge of "maybe they should have paid more?", the numbers would mean that even 10x the sum would move the percentage by one decimal. It's wild how much money big corporations have.
I highly applaud the researcher for their tremendous amount of skill and dedication.
How much Alphabet makes is almost irrelevant. The incentive here should be for security researchers. As long as there's enough incentive for security researchers to continue to report the bugs they find (which must be balanced against the potential payment a criminal could get if exploiting the bug, which is not directly correlated to the company's income either, at least not necessarily), the payment is appropriate.
To be fair, goog has to pay comparable to other 3rd party brokers, and not necessarily "potential payment by exploiting the bug". Finding an exploit and being able to deploy it for financial gains are two distinct problems, with separate skillsets, risks, etc.
Plus there are some other benefits of disclosing to goog. After you get into VRP you get access to grants & stuff and can basically ask to study a problem and get funded for that effort. Being able to blog about it, pad your experience, etc etc. All while not having to look over your shoulder for 3 letter agencies your whole life :)
While I embrace the downvotes, I disagree. From my pov, the amount of money paid should factor in the anticipated risk for your business. If a privilege escalation means that Google takes a massive hit in Ad Revenue, than this should be factored in.
There’s little relationship between the net income of a company and what is an appropriate bug bounty, especially a company as diversified as alphabet.
So someone found a way to exploit Chrome. Should Google now cash you out some dividends they got from Ads, YouTube, GCP, Pixel, Android and Waymo so they can really feel that it costs them an arm and a leg?
Suddenly incentives are there to apply as a Chrome developer is more lucrative than CxO position because one can produce bugs for friends to find.
Indeed, one of the great tragedies of life is that this happens. Humans cannot survive without water, yet the median water bill is $80, which is about 1% of the median household's income. People make so much money but refuse to pay for something that literally sustains their life. Join me in requiring that every household at least 10x the amount they pay for this precious water. To employees of water companies: Thank you for your service.
Have you also considered how much humans ought to be paying the trees for their Oxygen? I may look into buying some shares in those trees if they are available.
> You make a bunch money too, should you pay $100 for that taco? It's nothing to you.
Looking at my yearly net income, paying 100$ for a single taco in a year would mean that 0.26% of my net income would go into a taco. Paying 0.1$ for a single taco would make it 0.00026%. According to the consensus in this comment section, that would be pretty gracious. Yes, that's where I'm going with this.
//Edit: Thanks at postflopclarity for pointing out my wrong math.
Yeah, assuming the people working at the taco shop aren't very well off the taco should cost $100 for a software engineer, $80M for Jeffrey Bezos, and $4 for someone down on their luck.
If we wanted, we could make this more efficient by giving out free healthcare and housing to people, proportional to their need, and tax $95 from the software engineer, $80M from Bezos, and $0 from someone down on their luck.
Progressive Tacos does sound better than Progressive taxation, and it would probably work better because rich people dodge taxes all the time, but come on, who doesn't want to eat tacos?
We (software engineers) won't have proper empathy for the poor until we go into an apple store and the price tag on the iPhone is "20% of your net worth".
He had a pretty reliable exploit on the most used browser, pretty sure it he could have gotten more tax free on the black market.
Now, with EDR widely deployed it's likely that the exploit usage ends up being caught sooner than later, but pretty sure some dictatorship intelligence agency would have found all those journalists deep compromise worthwhile...
> pretty sure it he could have gotten more tax free on the black market.
How?
I've been paid by bug bounties (although not that big) and I have no idea how I would find a trustworthy criminal to sell to.
I guess I'd need to find a forum? Unless my opsec is exemplary then I'm risking being exposed. I'd need to vet that the buyer would actually pay me and not just steal it from me. Even if they do pay me, I'd be worried that they'd blackmail me or try to extract something from me. But assuming they're good black-marketeers, I still have to explain to the authorities where this large amount of cash came from.
So how do I go about selling to the black market in a safe way?
Oh, and I don't get to write a blog post about the bug or get my name in front of other researchers and recruiters. That can be worth a huge amount - both in cash and reputation.
Mostly the best market is intelligence agency vendors. As a US citizen, I would only be comfortable selling to US contractors. There are a bunch; if you go to conferences you probably meet the people there (look at the sponsors...).
It won't be tax-free, though; you'd probably get a 1099, but if you're smart could set it up as corp to corp and deduct a bunch of other expenses from it. Part of the sale is signing a bunch of NDAs, etc so you can't then release it to others.
6 replies →
> How
There are companies that specialize in getting grey market bugs in important software, ie browsers and OSes. They are repwat players and have a reputation to actually pay out.
13 replies →
You'll probably end up with 40 subscriptions to Vibe magazine.
The black market is "if you have to ask then you are already not qualified"
unless you are an agent posing questions to get people to sink themselves.
Thats what trusted middle men are for, instead of gaining rep among infosec posers on twitter you build rep under your anonymous alias. This is nothing new.
Or just sell it to the israelis.
1 reply →
[dead]
[dead]
[dead]
> a trustworthy criminal
Not going to happen.
2 replies →
Selling something to the black market doesn't magically make it tax free. It's almost the opposite. The money is going to show up in your auditable accounts sooner or later, so it's best to pay tax on it, but you'll also have to come up with a fake but auditable story of where it came from, meaning you'll have to engage the services of professional money launderers. They will also take a cut. So, it's like paying tax twice.
Getting paid in cryptocurrency isn't necessarily a dodge either because even if you claim you mined it or something, the authorities have got wise to this a while ago IIUC and will expect to see evidence to back that claim up too.
Up to here you weren't committing any crimes.
> but you'll also have to come up with a fake but auditable story of where it came from
And now you did.
4 replies →
The money itself might not be dirty, couldn’t you just claim something like “I sold a secret, highly valuable algorithm to this guy”? Tax would still need to be paid of course
7 replies →
If you get paid in crypto, leave it in crypto, and just trade crypto for goods or services uncle sam is none the wiser.
1 reply →
Selling an exploit is not illegal so why bother with money laundering?
2 replies →
Everybody here is coldly evaluating the financial profit comparison. How about being a decent human being, and not enabling hundreds of criminals to hurt millions of people because your net income is potentially better?
People are fixated, across this thread, on a black market of organized criminals buying vulnerabilities, but for the most part criminals aren't the real alternative market buyers for high-end vulnerabilities, and while people on message boards may incline towards viewing IC and LEO agencies as themselves criminal, I think you'll find a pretty substantial fraction of normal people find supplying IC/LEO agencies as more than just decent; praiseworthy, even.
That thorny ethical issue aside, I'm fond of pointing out that the IC's main alternative to CNE intelligence collection is human intelligence, and the cost of HUMINT simply in employee benefits dwarfs any near-term possible cost of exploit enablement packages; 7 figures is a pittance (remember: most major western governments are essentially benefits management organizations with standing armies).
Even given the seemingly vast sums earned by organized crime, government buyers are positioned to decisively outbid crime over the medium term. It's really early days for these markets.
3 replies →
People are evaluating this from a cold perspective to see if the system is working as designed or not.
1 reply →
Why not collect from both of the sources? First collect with your black hat and then with your white.
First, it's not "black market" vs. "non-black market"; most remunerative sales outside of bounty programs are grey-market --- mostly lawful, but all under the table, largely because they're to agencies that are protective of their sources and methods.
The mechanism grey-market buyers have to protect their interests against over-selling bugs is tranched payments. Sellers make much of their returns from bugs on the back end through "maintenance agreements", which both require the seller to keep e.g. the offsets in their exploits current and reliable against new patch levels of the target, and also serve to cut off payment once the vendor kills the bug.
If you sell to both sides, you quickly kill the back end business from the grey market buyers. If you sell to too many or too sketchy grey market buyers, the bug leaks --- vendors see it exploited "in the wild", capture samples, kill the bug; same outcome: tranched payments stop.
This is one reason it can make sense to take a bounty payment that is substantially smaller than what a bug might be worth on the market: you get certainty of payment. Another reason is that the bounty program will only want POC code (perhaps proof of reliability in addition to just exploitability), while the market will want a complete enablement package, which is a lot of work.
Black hats will not pay you for an exploit that dies quickly once the white hats get your report. White hats will not pay you for an exploit that you fenced to a black hat agency and showed up in the wild.
2 replies →
"If I report the body, no-one will suspect I'm the murderer"
Yes they will.
6 replies →
Because you'll get found out and never employed as a security researcher again
1 reply →
Typically can't do that.
Security services tend to anonymously report security flaws they use after use against any high value target, since they don't want the opponent using those same flaws back at them.
1 reply →
An exploit that is used is an exploit that will eventually leave traces that an analyst will look at (if used on a corporate PC)... Either you use it very sparingly on HVT or you end up on the EDR radars and some IOC will be made public eventually.
Yes; this is the one case where there's a liquid market for these kinds of vulnerabilities. The important detail: for these (and only these) bugs, you can sell them multiple times; for instance, firms exist that specialize in selling these bugs and their enablement packages to, say, every law enforcement and intelligence agency in a single country.
> pretty sure it he could have gotten more tax free on the black market.
Not necessarily. On slide 72 of this presentation, it says sandbox escape or bypass for Chrome is worth up to $200000:
https://nocomplexity.com/wp-content/uploads/2024/06/bluehat2...
(I originally found this presentation on github[1], but github seems down right now[2].)
[1] https://github.com/mdowd79/presentations/blob/main/bluehat20...
[2] https://www.reddit.com/r/github/comments/1mnlgc5/is_github_d...
Mossad and its subsidiaries like NSO pay $1M
https://citizenlab.ca/2016/08/million-dollar-dissident-iphon...
1 reply →
What if people start asking questions where you got the million dollars from? I've never understood how those presumably illegal markets can function with such large sums involved.
They're not illegal.
You are a security researcher. Your mind is trained to find and mitigate vulnerabilities. Including the vulnerabilities in finance / tax reporting.
You'll think of something. If you can hack one system, you can hack another.
$250k fully legally and with recognition is probably a good incentive not to bother. White hats have their privileges.
Money laundering, give the money to a shell company and have them report it as income. Obviously not that simple but that's the basic explanation.
That is why money laundering exists.
not if millions of dollars is bitcoin
You still have to pay taxes on income from non-bug bounty vulnerability markets, be it to law enforcement, brokers, or criminals.
Not really tax free lol! In both cases you arent getting withholding so you need to declare it.
Some exploits are sold bag of cash under a table. See e.g. https://news.ycombinator.com/item?id=20651607
Your hookers and blow dealers won't report you to the taxman.
6 replies →
If you got it tax free you would run the risk of being prosecuted for tax evasion, would that really be worth it?
> Now, with EDR widely deployed it's likely that the exploit usage ends up being caught sooner than later
lol
Why? If you actually exit the sandbox you'll start leaving traces, and eventually you'll slip and be looked at. That's part of the story EDR vendors sell at least.
You can't deny that you are way more likely to burn the exploit using it on a machine under watch than on a machine that is not...
1 reply →
This is true for all crime.
Sandbox escape with high-quality report in Chrome: $250k [1], yet Mozilla will offer you $20k [2] for that...
[1] https://bughunters.google.com/about/rules/chrome-friends/574...
[2] https://www.mozilla.org/en-US/security/client-bug-bounty/
According to Wikipedia, that's 0.012% of their net income. [0] While I'm being told in the comments that this is not the way to look at it, it means that this is, percentage wise, 50x the amount that Google is paying.
Sounds fine to me.
[0]: https://en.wikipedia.org/wiki/Mozilla_Corporation
//Edit: Had a typo in my percentage. 20.000 of 157.000.000 is, indeed, 0.012% - that makes it 50x the amount of Google's percentage.
If only they'd use a similar rubric to rein in their CEO comp[1].
[1]: https://news.ycombinator.com/item?id=24132168
8 replies →
But Chrome is paying more as a percentage of their browser units' income, no?
Virtually all of Mozilla's income comes from the browser (via the Google search agreement). The vast majority of Google's revenue comes from ad revenue on search, YouTube, and Adsense. Not from Chrome directly. So they had less incentive to reward its security, but did so anyway. And they also do some of the best work in the industry, free, for competitors via Project Zero.
9 replies →
Do you pay a software engineer for their time based on your revenue or his skill?
9 replies →
>According to Wikipedia, that's 0.0012% of their net income.
How much of the Mozilla foundation's income goes into product development nowadays?
2 replies →
Chrome has 15-20 times the users that firefox in the blackmarket the bug would sell for similar ratio. Safari might go for more as it has more rich and tech security illiterate users.
disagree. more marketshare does not mean juicier targets, which, in this case, would be tor users. in addition, you don't buy an exploit to use it en masse, that would get it burned really quickly
1 reply →
Have you looked at the financial health of the one company vs the other? I am pretty sure Google is making more than 10x the money Mozilla is making.
It'd be fun to do a sketch that's a montage of an array of HN armchair quarterbacks rolling up their sleeves and taking short-lived shots at CEO for Mozilla.
Marching into the home office, kicking butt, and pointing at the whiteboard for their favorite pet project:
* Mozilla focusing on privacy
* Mozilla focusing on web standards
* Mozilla focusing on speed
* Mozilla (apparently, here) focusing on maximizing the size of payouts for bug bounties
Inspiring, Rocky-style music plays in the background.
In the foreground, a red line continuously traces slowly downward, with no perceivable relationship to the scenes in the montage.
The grey market also offers much less for Firefox vulnerabilities, for reasons of both supply and of demand.
* Compare income * Compare market share * Compare market share normalised by likelihood of attack yielding benefit, in short-- fx users would be power users probably more likely to have other ways to mitigate an attack
* Or basically just compare black market prices which already taken the above 3 into account
Tells you who is more serious about security. A quarter of $1M is a fair price for this type of bug.
Won't complain about that.
Just like you personally obviously don't care about your personal security when you do not pay a team of body guards 250k a year.
> Tells you who is more serious about security.
Yup, clearly Mozilla.
$250k is loose change for Google.
Really doesn't tell me piss all, as I'm not privy to their respective overall cash flow. Are you, considering you say it does for you?
Is monetary expenditure on vulnerability payouts really the primary determinent of who's taking security more seriously, by the way? Sounds a bit backwards to me.
1 reply →
“ Default disclosure for this issue is 11 August. Opening this issue just five days early for visibility this particular week. :)”
Hello Defcon!
Link to the reward comment:
https://issues.chromium.org/issues/412578726#comment26
Of note, this is a logic/timing bug, and Rust would not have prevented this.
Is there somewhere explaining this bug in terms understandable for someone not dabbling in this?
I don't really understand how this works to "escape the sandbox". Normally it's like a website you visit that get access it shouldn't have. But this talk about renderers and native apis make it seem like it's stuff another process on the computer would do?
First you compromise the renderer process via e.g. a bug in the JS engine. But even if you have native code execution in the context of the renderer process, you're still in a sandbox.
The bug in the OP is for the second stage - breaking out of the sandbox.
The referenced `patch.diff` is basically for simulating a compromised renderer.
Ah, so it's like a two stage rocket, this turns a small exploit into a humongous one?
4 replies →
> The referenced `patch.diff` is basically for simulating a compromised renderer.
The patch.diff part is hard to understand. Surely if you have a compromised renderer, you have effectively full access to the machine already?
3 replies →
It looks like the bug is that there is a way for the renderer (sandboxed) process to trigger the browser (unsandboxed) process to duplicate an arbitrary windows kernel object handle. When you duplicate a handle, you can restrict access, or allow the duplicate to have full access as the original - unfortunately this one is duplicating preserving all the capabilities/access of the original handle.
Now for the POC exploit - it so happens that 0x108 is typically a thread handle for a thread in the browser process. What can you do with a thread handle? You can pause execution of that thread, set its register values (including instruction pointer), resume execution.
If kernel32.dll loads at the same address in each process, we can find some set of instructions in it that write a register's value to another register's address. If we set the instruction pointer to that instruction, we've unlocked the ability to write arbitrary memory in the unsandboxed process.
Finally, we can call other Windows APIs (by finding the address of the function to call and setting instruction pointer to it)- in the POC, they write "calc.exe" to a string, then call the system api to launch calculator.
Kind of life changing money, good to see such rewards
Where I live (Denmark) even if it was tax free you would more or less be unable to purchase an one bedroom apartment in the capital for this amount.
Getting enough for a good down payment on a house is life changing for many people. You'll make it back not paying rent into a void.
4 replies →
the first time I got a bonus that big, $240k, I thought it would be life changing. the gov took $100k in taxes. I paid off my car $20k. then when I really thought about it there wasn’t much I could do.
It was not a down payment on a house in LA/SF/NYC. it was not enough to start a company and hire people. If I’d changed my life style to be like a college student and live with roommates then it might have given me 2-3 years of student lifestyle but I was 34 and not prepared to go back to student lifestyle
To be honest it was super disappointing. Of course getting a $240k bonus is a privilege. My only point was it didn’t change my life like I thought it would.
And, that was 25 years ago. today, even a million ($600k after taxes) in those 3 cities won’t likely change your life. Maybe you could put a down payment on a house or pay for your kids college tho but it not the freedom I thought it would be
Depends where you live. Where I'm from $240k would buy you a really nice house with lots of land, and you'd have money left over.
>>won’t likely change your life. Maybe you could put a down payment on a house or pay for your kids college tho but it not the freedom I thought it would be
How is being able to put a down paymenent on a house or being able to send your kids to collage debt-free not life changing?
11 replies →
225k in 2025 dollars is life changing for anyone in the middle class of income. The reason you were unable to do anything with it is because you were already earning too much.
2 replies →
For you maybe. For someone in debt or who has never ever had a financial safety net, the amount of stress relief from finally having a bit of safety money behind you is mental.
> it was not enough to start a company and hire people.
It is in Taiwan, Vietnam, Indonesia, Cambodia...
why comments about taxes get gray here? is it bad behavior in US to discuss taxes?
1 reply →
Depends on where in the world you are. I wouldn't call $250k life-changing-money anywhere developed.
It's "I can probably stop worrying about money for a while" kind of money, not "life-changing" money. Not a whole lot you can buy for $250k. After taxes, that probably doesn't even buy a house.
Can somebody help me understand why these obviously very stupid takes keep popping up on HN? Is it rich people who genuinely have no idea what anything costs? Is it rich people intentionally being cruel to everybody else? Is it people trying to appear rich by pretending they have no idea what anything costs? Is it a bay area thing, are people just blowing through a literal fortune every year and unaware of their spending problems? Is it children whose ideas about money come from “influencers”?
6 replies →
In Sweden, assuming that $125k of that disappears in taxes, it’d leave you with 1.2M SEK. There are currently ~650 properties on Hemnet between 1M and 1.25M. I’d suggest maybe this one in Ödeshög at 1.1M SEK? https://www.hemnet.se/bostad/villa-3rum-odeshog-odeshogs-kom... Not the biggest, but it’s reasonably well done up, comes with 2/3rds of an acre of land, is near a main motorway to get to places, and near the shore of the biggest lake in the country. If you want to take a train then it’s 30 minutes drive to the nearest station on the Stockholm-Copenhagen line.
2 replies →
Impressive. Feel like finding issues like this in such a large project is like looking for a needle in a haystack
Finding issues in large complex projects is generally easier than smaller projects. More code, more bugs. But its still difficult to find serious issues on the level of a sandbox escape in Chromium just because Google's long-running reward system means lots of people have spent lots of time looking into it, both manually and using automated fuzzer tools.
Back in ye olden days of 2014 I randomly stumbled upon a Chrome issue (wasn't trying to find bugs, was just writing some JavaScript code and noticed a problem) and reported it to Google and they paid me $1,500. Not bad for like half an hour's work to report the issue.
https://issues.chromium.org/issues/40078754
I feel like it's the opposite. In a huge project there's bound to be many weird interactions between components, and it's about picking the important/security relevant ones and finding edge cases. In this case the focus was on the interaction between the renderer process and the broker. That forms a security boundary so it makes sense to focus your efforts there - google will pay for such exploits since they can in theory, when combined with other exploits in the renderer process, lead directly to exploits that can be triggered just by opening a web page. So, yes, chrome is a huge project but the list of security-relevant locations to probe actually isn't actually all that long. That's not to diminish the researchers work, it still takes an insane amount of skill to find these issues.
Finding a problem that deserves a bug bounty reward is a very different beast to just finding quirks.
I read from one security researchers somewhere that professionals wouldn’t find enough bug bounty worthy problems in high enough frequency to pay their bills. So they’ll sometimes treat things like this more as a supplement to promote their CV rather than as a job itself.
Impressive speed on rewarding as well. Around 4 weeks.
Lot of companies will sit for months just to acknowledge your submission.
Suppose someone wanted to dive into other projects with the ambition of finding high value bugs. Besides chromium what would you recommend or consider? What would be your thought process for deciding what projects to look into?
The answer to your question is WebKit (because iOS), kernels (XNU, Linux, Windows) etc. In case you are not familiar with the domain I'd start with user-space exploitation and relevant write ups to get my feet wet. You'll find plenty of write ups, blogs etc. so I'll skip those. Some of the books I generally found interesting are [1],[2], [3]. There's more to that, including fundamental concepts of CS (e.g., compilers and optimization in JITs, OS architecture etc.). I believe also https://p.ost2.fyi/dashboard has some relevant training.
[1] https://nostarch.com/zero-day
[2] https://nostarch.com/hacking2.htm
[3] https://ia801309.us.archive.org/26/items/Wiley.The.Shellcode...
Bugs are "High value" in different ways, you have to find the companies willing to pay highly. Most of the high payers are on bug bounty programs (like hackerone.com) and don't always give you ability to talk about bugs later.
Google is quite unique here, particularly given Chrome is paying easily 10x what Mozilla would for a sandbox escape. Apple is in the middle -- per [1] a "WebContent sandbox escape" would be $50k, but to get $250k on their scale you need to combine that with a kernel bug.
So if you want to optimise for "value", you have to pick the targets that are easier (still not easy, obviously).
[1]: https://security.apple.com/bounty/categories/
I'm highly skeptical this level of bug bounty would be sustainable by whatever company ends up buying Chrome after DOJ forces it to be divested.
How does one start acquiring skills like these?
Spending a lot of time debugging code. Eventually, the pattern recognizer in your brain will pick out the bugs. The term for this is "code smell".
For example, when I'd review C code I'd look at the str???() function use. They are nearly always infested with bugs, usually either neglecting to add a terminator zero or neglecting to add sufficient storage for the terminating zero.
It is crazy that anytime someone works on application layer and wants to manipulate string, which is a very, very common thing to do when writing application, one has to consider \0 which would be an implementation detail.
How can that language still be so popular?
24 replies →
I get the feeling these kind of skills are very rare because they fall in the category "understanding and debugging other people code/mess", while most people prefer to build new things (and often struggle to debug their own work).
It takes a lot a passion and dedication to security and reverse engineering to get there.
Practice, and having supernatural perseverance (although probably not in that order)
I'd guess the curriculum is half reverse engineering and half reading any write-ups to see the attacks and areas of attack for inspiration
By reading and keeping up with the published work in browser exploit development, replicating it yourself, and then finding you have a knack for spotting vulnerabilities in C++ code.
https://pwn.college/
Read the blogs of the guys creating the bugs.
[flagged]
Are there people who work full time from income on bug bounties?
To add to the sibling comment, there are also many different ways of making a living doing this stuff:
* You can find killer clientside bugs where the bounty will cover a year's worth of compensation (bear in mind you'll get maybe 1.5 of these payouts a year on your own if you're good but replacement-level)
* You can find these kinds of bugs and work with brokers to sell them to grey-market buyers along with enablement/implants --- more development work, a little more market risk.
* You can find smaller, easier bugs (serverside, web bugs) that get nothing resembling these kinds of payouts but are much easier to find, and make good money on volume. This is a much more common way of making a living on bounty payments.
This seems harder and riskier than a full time wage - almost like a salesman who makes money from commission.
1 reply →
Yes. There are plenty of folks who submit to the company I work for who live in regions of the world that are extremely low cost of living/salary (in USD terms) and most BB programs pay out fixed USD rates. It can be very lucrative.
Although seeing these bugs fixed and getting rewarded for finding them is great, I still think that Microsoft's idea of virtualising the entire browser process was genius. It also feels better than any "lockdown"-like mode that maybe just disables some JIT engine or two.
I'd really like that on both Linux and macOS.
I wonder how much the black market would pay for an exploit like that - anyone know?
Grey market, not black. It's been several months since I've talked to anyone in the space but full-chain reliable quiet Chrome exploit packages were high six figures, with discussions starting about bugs reaching 7 figures imminently, and the people I talked to might have been talking that down (or talking it up).
Again, remember that grey market payouts are tranched, so you could get 3x more than Google would pay, or you could get 0.5x, and for much more work.
I’m sure there is a black market for something like this?
1 reply →
not 250k for sure :)
Google security team is really good, however sometimes things are controversial because certain bugs gets ignored in MS-way which is famous for not paying/not fixing.
Descargas virus
[dead]
Google have money to burn though.
Does this mean engineers of Google can't fix it?
No, it was fixed after it was reported.
I didn’t get anything for my JavaScript recursive reference failure defect report a decade ago, but then it also wasn’t a sev1 security compromise defect either.
It is unfortunate that there is no web browser in a memory safe language. As I understand, both Chromium and Firefox use C++, although Firefox partly uses Rust. This has put billions of people at risk.
This post is about a logic bug that could have happened in any language
One of the biggest security holes is the JIT engine, rewriting it in Rust or any other language wouldn't make a difference, since it is effectively an inner platform.
This bug is a logic error iiuc so language wouldn't help.
Servo project is active and probably usable in a year or two (but as others have said this bug is different)
"Decent." was the first word that came into my mind. After a second, I realized that 250,000 USD ist basically 0.00022 % of Alphabet's (Google's?) annual net income [0].
A life changing amount of money for an individual, but nothing more than a small blip on Google's charts. Of course, I'm aware of "budgets" and "departments", and that one simply does not move funds between departments. And while my mind is on the verge of "maybe they should have paid more?", the numbers would mean that even 10x the sum would move the percentage by one decimal. It's wild how much money big corporations have.
I highly applaud the researcher for their tremendous amount of skill and dedication.
[0] https://www.reddit.com/r/google/comments/1lh0pl4/google_is_n...
How much Alphabet makes is almost irrelevant. The incentive here should be for security researchers. As long as there's enough incentive for security researchers to continue to report the bugs they find (which must be balanced against the potential payment a criminal could get if exploiting the bug, which is not directly correlated to the company's income either, at least not necessarily), the payment is appropriate.
To be fair, goog has to pay comparable to other 3rd party brokers, and not necessarily "potential payment by exploiting the bug". Finding an exploit and being able to deploy it for financial gains are two distinct problems, with separate skillsets, risks, etc.
Plus there are some other benefits of disclosing to goog. After you get into VRP you get access to grants & stuff and can basically ask to study a problem and get funded for that effort. Being able to blog about it, pad your experience, etc etc. All while not having to look over your shoulder for 3 letter agencies your whole life :)
1 reply →
> How much Alphabet makes is almost irrelevant.
While I embrace the downvotes, I disagree. From my pov, the amount of money paid should factor in the anticipated risk for your business. If a privilege escalation means that Google takes a massive hit in Ad Revenue, than this should be factored in.
2 replies →
These types of comparisons are illogical.
There’s little relationship between the net income of a company and what is an appropriate bug bounty, especially a company as diversified as alphabet.
So someone found a way to exploit Chrome. Should Google now cash you out some dividends they got from Ads, YouTube, GCP, Pixel, Android and Waymo so they can really feel that it costs them an arm and a leg?
Suddenly incentives are there to apply as a Chrome developer is more lucrative than CxO position because one can produce bugs for friends to find.
Indeed, one of the great tragedies of life is that this happens. Humans cannot survive without water, yet the median water bill is $80, which is about 1% of the median household's income. People make so much money but refuse to pay for something that literally sustains their life. Join me in requiring that every household at least 10x the amount they pay for this precious water. To employees of water companies: Thank you for your service.
Have you also considered how much humans ought to be paying the trees for their Oxygen? I may look into buying some shares in those trees if they are available.
It's fun to twist the rules and put "business life" and "human life" on the same level, innit?
1 reply →
What's your suggestion exactly? Making anyone who can find a bug a millionaire? That's ridiculous. 250k is already insanely high.
You make a bunch money too, should you pay $100 for that taco? It's nothing to you.
> You make a bunch money too, should you pay $100 for that taco? It's nothing to you.
Looking at my yearly net income, paying 100$ for a single taco in a year would mean that 0.26% of my net income would go into a taco. Paying 0.1$ for a single taco would make it 0.00026%. According to the consensus in this comment section, that would be pretty gracious. Yes, that's where I'm going with this.
//Edit: Thanks at postflopclarity for pointing out my wrong math.
2 replies →
Yeah, assuming the people working at the taco shop aren't very well off the taco should cost $100 for a software engineer, $80M for Jeffrey Bezos, and $4 for someone down on their luck.
If we wanted, we could make this more efficient by giving out free healthcare and housing to people, proportional to their need, and tax $95 from the software engineer, $80M from Bezos, and $0 from someone down on their luck.
Progressive Tacos does sound better than Progressive taxation, and it would probably work better because rich people dodge taxes all the time, but come on, who doesn't want to eat tacos?
We (software engineers) won't have proper empathy for the poor until we go into an apple store and the price tag on the iPhone is "20% of your net worth".
1 reply →
Equal to the black market price.
Anything less is an incitement to allow exploits to be used in the wild.
1 reply →