Escaping the Chrome Sandbox Through DevTools

(ading.dev)

406 points vk6 | 1 comments | 17 Oct 24 05:55 UTC | HN request time: 0.347s | source

Show context

Etheryte ◴[17 Oct 24 07:57 UTC] No.41867389[source]▶

Given the severity, I can't help but feel that this is underpaid at the scale Google is at. Chrome is so ubiquitous and vulnerabilities like these could hit hard. Last thing they need to do is to send the signal that it's better to sell these on the black market.

replies(9): >>41867499 #>>41867548 #>>41867653 #>>41867666 #>>41867873 #>>41868146 #>>41868628 #>>41868995 #>>41869073 #

thrdbndndn ◴[17 Oct 24 08:29 UTC] No.41867548[source]▶

>>41867389 #

I hate that every time a vulnerability is posted, someone has to argue about whether the bounty is high enough. It’s always followed by, "blah blah, they're pushing whitehats to sell it on the black market."

Vulnerabilities will always sell for more on the black market because there’s an added cost for asking people to do immoral and likely illegal things. Comparing the two is meaningless.

To give a straightforward answer: no, I don’t think $20k is underpaid. The severity of a bug isn't based on how it could theoretically affect people but on how it actually does. There's no evidence this is even in the wild, and based on the description, it seems complicated to exploit for attacks.

replies(2): >>41867627 #>>41867954 #

1. 7thpower ◴[17 Oct 24 09:45 UTC] No.41867954[source]▶

>>41867548 #

I suspect the fact there is potentially a wider addressable market via the black market probably has more to do with the price setting mechanism than an immorality premium.

Although, maybe there is something to the immorality/illegality tax in this case. The author is in high school (how cool is that!?) and the article would probably hit differently to perspective employers if they were detailing the exploit they had sold to NK (which is to say nothing of how NK would feel about the sunlight).

↑