←back to thread

Escaping the Chrome Sandbox Through DevTools

(ading.dev)
406 points vk6 | 3 comments | 17 Oct 24 05:55 UTC | HN request time: 0.801s | source
Show context
Etheryte ◴[17 Oct 24 07:57 UTC] No.41867389[source]
Given the severity, I can't help but feel that this is underpaid at the scale Google is at. Chrome is so ubiquitous and vulnerabilities like these could hit hard. Last thing they need to do is to send the signal that it's better to sell these on the black market.
replies(9): >>41867499 #>>41867548 #>>41867653 #>>41867666 #>>41867873 #>>41868146 #>>41868628 #>>41868995 #>>41869073 #
thrdbndndn ◴[17 Oct 24 08:29 UTC] No.41867548[source]
I hate that every time a vulnerability is posted, someone has to argue about whether the bounty is high enough. It’s always followed by, "blah blah, they're pushing whitehats to sell it on the black market."

Vulnerabilities will always sell for more on the black market because there’s an added cost for asking people to do immoral and likely illegal things. Comparing the two is meaningless.

To give a straightforward answer: no, I don’t think $20k is underpaid. The severity of a bug isn't based on how it could theoretically affect people but on how it actually does. There's no evidence this is even in the wild, and based on the description, it seems complicated to exploit for attacks.

replies(2): >>41867627 #>>41867954 #
n2d4 ◴[17 Oct 24 08:46 UTC] No.41867627[source]
> The severity of a bug isn't based on how it could theoretically affect people but on how it actually does

No, it's priced on demand and supply like anything else; bug bounties are priced to be the amount that Google thinks it takes to incentivise hunters to sell it to them, vs. to black hats.

replies(7): >>41867670 #>>41867692 #>>41867853 #>>41868419 #>>41868768 #>>41868849 #>>41869671 #
luismedel ◴[17 Oct 24 08:57 UTC] No.41867692[source]
I know not everyone shares my world-view, but I need to be literally starving to consider selling whatever I discover to a criminal.

principles > wild market

replies(5): >>41867706 #>>41867707 #>>41867839 #>>41867975 #>>41868715 #
1. Arnt ◴[17 Oct 24 11:47 UTC] No.41868715[source]
Not going to name names, but someone I know was happy when his workplace was acquired by a bigger company from another country. He was the most senior developer, had done the heavy lifting, the product was did a good job for its happy users and the buyer would continue that, and last but not least, he'd be rich. Admittedly part of the agreement was a handshake, there had been so much to do, they'd worked insane amounts of overtime and some paperwork had been deferred…

He got nothing. No money at all. The CEO pretended to have forgotten every verbal agreement.

You only need to experience that kind of thing once to change your mind.

replies(1): >>41868987 #
2. kevindamm ◴[17 Oct 24 12:24 UTC] No.41868987[source]
To change your mind about making sure everything is in writing in a binding contract?
replies(1): >>41869074 #
3. Arnt ◴[17 Oct 24 12:37 UTC] No.41869074[source]
I'd guess most people would react in one of three ways, including that one. I can understand all three.