Back in ye olden days of 2014 I randomly stumbled upon a Chrome issue (wasn't trying to find bugs, was just writing some JavaScript code and noticed a problem) and reported it to Google and they paid me $1,500. Not bad for like half an hour's work to report the issue.
I read from one security researchers somewhere that professionals wouldn’t find enough bug bounty worthy problems in high enough frequency to pay their bills. So they’ll sometimes treat things like this more as a supplement to promote their CV rather than as a job itself.
It was not a down payment on a house in LA/SF/NYC. it was not enough to start a company and hire people. If I’d changed my life style to be like a college student and live with roommates then it might have given me 2-3 years of student lifestyle but I was 34 and not prepared to go back to student lifestyle
To be honest it was super disappointing. Of course getting a $240k bonus is a privilege. My only point was it didn’t change my life like I thought it would.
And, that was 25 years ago. today, even a million ($600k after taxes) in those 3 cities won’t likely change your life. Maybe you could put a down payment on a house or pay for your kids college tho but it not the freedom I thought it would be
>>won’t likely change your life. Maybe you could put a down payment on a house or pay for your kids college tho but it not the freedom I thought it would be
How is being able to put a down paymenent on a house or being able to send your kids to collage debt-free not life changing?
Because neither of those are going to change your daily life that much? It simplifies a thing or two, but neither of those things are life-changing.
There's a lot of people who can't even imagine ever being able to put down a deposit on a house or to send their kids to collage debt-free. With an amount of money like that you can go from being trapped in a rent hell forever to actually purchasing your own house. Or you can give your kids the education you want to give them. They are major, life changing impacts. Again, to describe it as "simplifes a thing or two" to me implies that you could do them even without this money in which case yeah, it changes very little.
I have a hard time seeing it as life changing for me, having a decent paying job (not silicon valley developer scale) in a expensive country. Ofc if I was having a low paying career without that many perspective my outlook might differ.
I dont live a place where you pay for your kids being in college so I cant speak for that part.
It is in Taiwan, Vietnam, Indonesia, Cambodia...
It's "I can probably stop worrying about money for a while" kind of money, not "life-changing" money. Not a whole lot you can buy for $250k. After taxes, that probably doesn't even buy a house.
If you got a $240,000 bonus in the mid-2000s in tech, that very likely means you were living in one of the tech metros (SF, NYC) and you could expect nearly 50% of that to be paid in taxes (CA/Fed, NY/NYC/Fed). So you take home about $120,000.
It's a windfall of money to be sure. But being in an employment situation where even such a bonus is possible likely means you already have significantly higher costs than the average person. Maybe you'll pay down some student loans and bolster your savings. But this is far from being "rich". High-earners also tend to have high costs of living.
of course $140k would be life changing for most people. but OP, and i suspect most of the other commenters, are not in that situation.
It’s a fact that my life didn’t change so it wasn’t a life changing amount of money for me.
Maybe it would be life changing for others. tho at least in sf/nyc/la I suspect it wouldn’t for most people. If I had given it to my sister she’d have used it to pay down her mortgage. her life wouldn’t change. she’d have still had a mortgage and her day to day life wouldn’t have changed at all. My nephew could have used it to pay off his student loans. That would be great but again his daily life wouldn’t have changed
A life changing amount of money for an individual, but nothing more than a small blip on Google's charts. Of course, I'm aware of "budgets" and "departments", and that one simply does not move funds between departments. And while my mind is on the verge of "maybe they should have paid more?", the numbers would mean that even 10x the sum would move the percentage by one decimal. It's wild how much money big corporations have.
I highly applaud the researcher for their tremendous amount of skill and dedication.
[0] https://www.reddit.com/r/google/comments/1lh0pl4/google_is_n...
Plus there are some other benefits of disclosing to goog. After you get into VRP you get access to grants & stuff and can basically ask to study a problem and get funded for that effort. Being able to blog about it, pad your experience, etc etc. All while not having to look over your shoulder for 3 letter agencies your whole life :)
You know there’s ongoing and plausible efforts by at least 3 organizations to conquer the Earth, right?
While I embrace the downvotes, I disagree. From my pov, the amount of money paid should factor in the anticipated risk for your business. If a privilege escalation means that Google takes a massive hit in Ad Revenue, than this should be factored in.
Given this exploit, that would probably lower the payout. There are absolutely tons more sandbox escapes in Chromium engine right now (here's a fun list of previous ones, none of which cost them ad rev[1]), and they're not adversely affecting Google's ad revenue. No company is pulling ads because Chrome has a vuln.
This wouldn't even be the kind of reputational hit that something like SolarWinds was.
An exploit like this would be abused by somebody who sets up a malicious website to try to take control over somebody's device or otherwise steal secrets from them like keys for cryptocurrencies. These attacks tend to be targeted. Nobody is using an exploit like this to create an ad blocker or even to do ad fraud.
The only risk to revenue here is reputational, and I think that it is likely that the existence of this bug would be less widely known if the bounty program didn't exist and the bug was sold on the black market.
There’s little relationship between the net income of a company and what is an appropriate bug bounty, especially a company as diversified as alphabet.
You make a bunch money too, should you pay $100 for that taco? It's nothing to you.
Anything less is an incitement to allow exploits to be used in the wild.
Looking at my yearly net income, paying 100$ for a single taco in a year would mean that 0.26% of my net income would go into a taco. Paying 0.1$ for a single taco would make it 0.00026%. According to the consensus in this comment section, that would be pretty gracious. Yes, that's where I'm going with this.
//Edit: Thanks at postflopclarity for pointing out my wrong math.
> It's wild how much money big corporations have. ?
If we wanted, we could make this more efficient by giving out free healthcare and housing to people, proportional to their need, and tax $95 from the software engineer, $80M from Bezos, and $0 from someone down on their luck.
Progressive Tacos does sound better than Progressive taxation, and it would probably work better because rich people dodge taxes all the time, but come on, who doesn't want to eat tacos?
We (software engineers) won't have proper empathy for the poor until we go into an apple store and the price tag on the iPhone is "20% of your net worth".
Suddenly incentives are there to apply as a Chrome developer is more lucrative than CxO position because one can produce bugs for friends to find.
Now, with EDR widely deployed it's likely that the exploit usage ends up being caught sooner than later, but pretty sure some dictatorship intelligence agency would have found all those journalists deep compromise worthwhile...
Security services tend to anonymously report security flaws they use after use against any high value target, since they don't want the opponent using those same flaws back at them.
Yes they will.
If you are the murderer, there will be.
Honestly I’d be more worried about crossing the blackhats.
...come to think of it, how does that work? Aren't the most important exploits to patch the ones being actively used in the wild?
In other words, how do they avoid someone playing both sides? "I found an exploit being used by the LEETH4X0R malware [which was in fact created by the guy I sold this exploit to] to steal people's gmail cookies."
You'd have to find out about LEETH4X0R before other researchers, but of course, you'd have a head start.
The mechanism grey-market buyers have to protect their interests against over-selling bugs is tranched payments. Sellers make much of their returns from bugs on the back end through "maintenance agreements", which both require the seller to keep e.g. the offsets in their exploits current and reliable against new patch levels of the target, and also serve to cut off payment once the vendor kills the bug.
If you sell to both sides, you quickly kill the back end business from the grey market buyers. If you sell to too many or too sketchy grey market buyers, the bug leaks --- vendors see it exploited "in the wild", capture samples, kill the bug; same outcome: tranched payments stop.
This is one reason it can make sense to take a bounty payment that is substantially smaller than what a bug might be worth on the market: you get certainty of payment. Another reason is that the bounty program will only want POC code (perhaps proof of reliability in addition to just exploitability), while the market will want a complete enablement package, which is a lot of work.
You'll think of something. If you can hack one system, you can hack another.
$250k fully legally and with recognition is probably a good incentive not to bother. White hats have their privileges.
Your hookers and blow dealers won't report you to the taxman.
And yeah if you want normal stuff like a house or car you'd need to wash the money. How do I know? Breaking Bad. Which lets be honest is probably for most of us, our only reference point here.
[1] https://www.elizabethhoney.com/45--47-stella-street.html
The IRS isn't referring suspicious (whatever that means) tax returns to the authorities. What happens if you are a criminal is that the authorities have there attention on you because you are doing illegal things. One angle of attack for them is your finances. That is why money laundering exists.
Getting paid in cryptocurrency isn't necessarily a dodge either because even if you claim you mined it or something, the authorities have got wise to this a while ago IIUC and will expect to see evidence to back that claim up too.
They also have every incentive to make sure you're guilty enough to not go blab to the authorities later, or sell it to someone else.
And since you're trying to be anonymous in this, you aren't going to be getting a regular tax receipt either.
I grew up in an area known for people growing cannabis before it was legal. An enormous amount of taxes got dodged through cash land deals, but tons of people just claimed the income under various categories and no one ever came knocking because of that.
Its usually the other way around. If you caught the Fed's eye, then they might try to get you on tax evasion or something. Although, frankly even that was very rare. There are just a lot of very obvious fish to fry.
https://www.irs.gov/publications/p525#en_US_2024_publink1000...
>Illegal activities.
>Income from illegal activities, such as money from dealing illegal drugs, must be included in your income on Schedule 1 (Form 1040), line 8z, or on Schedule C (Form 1040) if from your self-employment activity.
> but you'll also have to come up with a fake but auditable story of where it came from
And now you did.
How?
I've been paid by bug bounties (although not that big) and I have no idea how I would find a trustworthy criminal to sell to.
I guess I'd need to find a forum? Unless my opsec is exemplary then I'm risking being exposed. I'd need to vet that the buyer would actually pay me and not just steal it from me. Even if they do pay me, I'd be worried that they'd blackmail me or try to extract something from me. But assuming they're good black-marketeers, I still have to explain to the authorities where this large amount of cash came from.
So how do I go about selling to the black market in a safe way?
Oh, and I don't get to write a blog post about the bug or get my name in front of other researchers and recruiters. That can be worth a huge amount - both in cash and reputation.
There are companies that specialize in getting grey market bugs in important software, ie browsers and OSes. They are repwat players and have a reputation to actually pay out.
How much of a premium are they paying to make it worthwhile?
You can find some by researching. AIUI most intros are via personal connections. I'd be wary of the potential ethical implications. There is more than money to life.
Sure, I'd say the "sell it elsewhere" stuff is always a bit overly optimistic but due to the nature of this specific exploit I am pretty sure you could find a buyer offering good compensation.
You can also go through ZDI (owned by Trend Micro), but the payout will be lower. It’s in Trend Micro’s interest so they can get ahead in detections.
Yes, maybe the exploit could likely be modified to be more reliable. That's more work though.
Or just sell it to the israelis.
Not going to happen.
It won't be tax-free, though; you'd probably get a 1099, but if you're smart could set it up as corp to corp and deduct a bunch of other expenses from it. Part of the sale is signing a bunch of NDAs, etc so you can't then release it to others.
lol
You can't deny that you are way more likely to burn the exploit using it on a machine under watch than on a machine that is not...
That thorny ethical issue aside, I'm fond of pointing out that the IC's main alternative to CNE intelligence collection is human intelligence, and the cost of HUMINT simply in employee benefits dwarfs any near-term possible cost of exploit enablement packages; 7 figures is a pittance (remember: most major western governments are essentially benefits management organizations with standing armies).
Even given the seemingly vast sums earned by organized crime, government buyers are positioned to decisively outbid crime over the medium term. It's really early days for these markets.
In that light, what others would do is rarely a reliable indicator that you shouldn’t think twice about your actions, lest you regret later, once the thinking has happened.
My point is that this fact shouldn’t belong in a discussion about ethics, given how often widely held moral positions have come to be a source of regret.
Hello Defcon!
[1] https://nostarch.com/zero-day
[2] https://nostarch.com/hacking2.htm
[3] https://ia801309.us.archive.org/26/items/Wiley.The.Shellcode...
Google is quite unique here, particularly given Chrome is paying easily 10x what Mozilla would for a sandbox escape. Apple is in the middle -- per [1] a "WebContent sandbox escape" would be $50k, but to get $250k on their scale you need to combine that with a kernel bug.
So if you want to optimise for "value", you have to pick the targets that are easier (still not easy, obviously).
[1] https://bughunters.google.com/about/rules/chrome-friends/574...
[2] https://www.mozilla.org/en-US/security/client-bug-bounty/
Sounds fine to me.
[0]: https://en.wikipedia.org/wiki/Mozilla_Corporation
//Edit: Had a typo in my percentage. 20.000 of 157.000.000 is, indeed, 0.012% - that makes it 50x the amount of Google's percentage.
How much of the Mozilla foundation's income goes into product development nowadays?
Virtually all of Mozilla's income comes from the browser (via the Google search agreement). The vast majority of Google's revenue comes from ad revenue on search, YouTube, and Adsense. Not from Chrome directly. So they had less incentive to reward its security, but did so anyway. And they also do some of the best work in the industry, free, for competitors via Project Zero.
https://textslashplain.com/2024/10/13/content-blocking-in-ma... shows a ten-line ad blocker that blocks Google's ads, https://github.com/extesy/hoverzoom/discussions/670 is a list of polite email messages from people who'd like to have elevated access to browsers.
uBlock Origin Lite blocks YouTube ads just fine.
Do you really think Google wouldn't do anything about as blockers? Especially now that no ads is one of the selling points of YouTube Premium?
Personally I believe that the browser is intended to defend against e.g. Facebook's apps. Google wants to make sure that if you buy a new device and it comes with a Facebook app preinstalled, it also comes with a browser. And that the browser isn't controlled by anyone who'd like to disrupt any of Google's many nice income streams.
That is why you see equivalent skill levels being paid differently in big tech compared to other places.
And why you see millions in salaries at some big techs Ai hiring.
It's really no secret that higher revenue means higher potential pay/more devs...
Surely a bug on Chrome is worth more than a bug on Firefox.
But more to your point: the bounty is more similar to an auction. Once you sell the bug to the software producer the black market has no more use of it, assuming it gets fixed.
Supply is constrained, so competition is on the demand side.
On the drug example demand is constrained, if you're the only buyer. So competition happens on the supply side.
The payment will stop immediately if Google thinks it's no longer needed, or if federal prosecutors (who have determined this payment is illegal) decide the remedy is to stop the payment. [1]
The CEO's job is simple. Say "I think we should take Google's money again this year", and then pocket several million of it. Ca-ching! What are your plans for post-Google-money? Uh uh... AI? Sell out our users to advertisers? [2] It's not looking good.
The Firefox market share continues to dwindle. The board continues to hob-nob with San Francisco socialites and "activists" and use Mozilla as a piggybank to fund their chums. [edit: removed line about Mitchell Baker as she does seem to have finally left]
[0] https://en.wikipedia.org/wiki/Mozilla_Corporation#Finances
[1] https://www.bloomberg.com/news/articles/2024-08-05/google-lo...
Mitchell has not been a member of the Mozilla Foundation or Mozilla Corporation boards since February 2025.
https://blog.mozilla.org/en/mozilla/mozilla-leadership-growt...
Won't complain about that.
Yup, clearly Mozilla.
$250k is loose change for Google.
Is monetary expenditure on vulnerability payouts really the primary determinent of who's taking security more seriously, by the way? Sounds a bit backwards to me.
* Or basically just compare black market prices which already taken the above 3 into account
Marching into the home office, kicking butt, and pointing at the whiteboard for their favorite pet project:
* Mozilla focusing on privacy
* Mozilla focusing on web standards
* Mozilla focusing on speed
* Mozilla (apparently, here) focusing on maximizing the size of payouts for bug bounties
Inspiring, Rocky-style music plays in the background.
In the foreground, a red line continuously traces slowly downward, with no perceivable relationship to the scenes in the montage.
I don't really understand how this works to "escape the sandbox". Normally it's like a website you visit that get access it shouldn't have. But this talk about renderers and native apis make it seem like it's stuff another process on the computer would do?
The bug in the OP is for the second stage - breaking out of the sandbox.
The referenced `patch.diff` is basically for simulating a compromised renderer.
Once you're thinking along the lines of "Alright, if I had some order of flags, I could solve that thing over there. If I knew some kind of weights, I could solve that over there. And if I could find a light bulb I could deal with that over there", you're kinda in the mindset of finding an exploitation chain.
It's just that in the security world, it's more about bad memory accesses, confusing programs into doing the right actions with wrong files, file permissions being weird and such.
Edit: just wanted to riff on your analogy. It is relatively simple to crash/shoot down a rocket, but this exploit gets into the control room and could allow the attacker to see where all other rockets are going & maybe redirect/crash them.
The patch.diff part is hard to understand. Surely if you have a compromised renderer, you have effectively full access to the machine already?
Lot of companies will sit for months just to acknowledge your submission.
Google security team is really good, however sometimes things are controversial because certain bugs gets ignored in MS-way which is famous for not paying/not fixing.
Again, remember that grey market payouts are tranched, so you could get 3x more than Google would pay, or you could get 0.5x, and for much more work.
I'd really like that on both Linux and macOS.
* You can find killer clientside bugs where the bounty will cover a year's worth of compensation (bear in mind you'll get maybe 1.5 of these payouts a year on your own if you're good but replacement-level)
* You can find these kinds of bugs and work with brokers to sell them to grey-market buyers along with enablement/implants --- more development work, a little more market risk.
* You can find smaller, easier bugs (serverside, web bugs) that get nothing resembling these kinds of payouts but are much easier to find, and make good money on volume. This is a much more common way of making a living on bounty payments.
krtkush•11h ago
mdaniel•11h ago
I'd guess the curriculum is half reverse engineering and half reading any write-ups to see the attacks and areas of attack for inspiration
anthonj•11h ago
It takes a lot a passion and dedication to security and reverse engineering to get there.
WalterBright•11h ago
For example, when I'd review C code I'd look at the str???() function use. They are nearly always infested with bugs, usually either neglecting to add a terminator zero or neglecting to add sufficient storage for the terminating zero.
jve•9h ago
How can that language still be so popular?
avar•9h ago
WalterBright•1h ago
AlienRobot•9h ago
rkomorn•9h ago
Edit: I guess I should've at least asked myself if the question was rhetorical.
uecker•9h ago
AlienRobot•4h ago
All I want is a menubar, a toolbar, a statusbar, and some dialog windows. I don't want fading transitions when I click a tab.
It's crazy that I'm forced to write header files just to have a menubar.
Zig 1.0 can't come soon enough.
rkomorn•4h ago
Or... https://quickshell.org/ ?
jve•9h ago
No doubt there are valid reasons to use it, that is just the state of things they are unfortunately.
uecker•9h ago
saagarjha•7h ago
tonyhart7•6h ago
saagarjha•6h ago
uecker•6h ago
saagarjha•6h ago
uecker•2h ago
WalterBright•1h ago
Back when I was musing about what D would be like, I happened across some BASIC code. I was drawn to the use of strings, which were so simple in BASIC. I decided that D would be a failure if strings weren't as easy to use as in BASIC.
And D strings turned out to be better than I'd dared hope!
I proposed an enhancement to C to get much of that benefit, but it received zero traction in the C community. Oh well.
https://www.digitalmars.com/articles/C-biggest-mistake.html
eska•8h ago
saagarjha•7h ago
WalterBright•1h ago
It's also an easy language to write a compiler for. At one point I counted over 30 C compilers available for DOS.
Hilift•11h ago
saagarjha•7h ago
tptacek•4h ago