V8 exploits – so hot right now

Google is offering an enhanced bug bounty for “high quality” reports that show how vulnerabilities in the open source V8 JavaScript engine might potentially be used as part of a real-world attack.

Previously exploits had to be fully functional to be rewarded at the highest tier – ‘high-quality report with functional exploit’ – and qualify for Google’s top tier of bug bounty pay-outs.

Now, though, the browser maker says that it’s making it easier to qualify for higher rewards and treating its V8 JavaScript engine as a special case in the hope of learning more about the exploitability of different bug classes, and the mechanisms that can lead from an initial bug to a full exploit.

“Demonstration of how a bug might be exploited is one factor that the panel may use to determine that a report is ‘high-quality’, our second highest tier, but we want to encourage more of this type of analysis,” says Chrome Vulnerability Rewards panellist Martin Barbella in a blog post.

“This information is very useful for us when planning future mitigations, making release decisions, and fixing bugs faster. We also know it requires a bit more effort for our reporters, and that effort should be rewarded.”

Start your engines

Reports qualifying for the new bonus will get double the previous amount. A high-quality report with functional exploit of a renderer or remote code execution/memory corruption in a sandboxed process, for example, will now net its discoverer up to $20,000.

And researchers shouldn’t have to jump through too many hoops to qualify for the new rewards.

“Any V8 bug report which would have previously been rewarded at the high-quality report with functional exploit level will likely qualify with no additional effort from the reporter. By definition, these demonstrate that the issue was exploitable,” says Barbella.


Catch up with the latest bug bounty security news


“V8 reports at the high-quality level may also qualify if they include evidence that the bug is exploitable as part of their analysis.”

There’s more information on changes to the Chrome Vulnerability Reward Program here.

Google appears to be ramping up its browser engine security efforts more generally. In October, the company launched a new pilot project offering $50,000 in cloud computing credits for new approaches to JavaScript engine fuzzing.


RECOMMENDED XSS for PDFs – New injection technique offers rich pickings for security researchers