Friday, April 12, 2024
HomeBig DataGoogle On-line Safety Weblog: Vulnerability Reward Program: 2023 12 months in Evaluation

Google On-line Safety Weblog: Vulnerability Reward Program: 2023 12 months in Evaluation


Final yr, we once more witnessed the ability of community-driven safety efforts as researchers from world wide contributed to assist us establish and deal with 1000’s of vulnerabilities in our services and products. Working with our devoted bug hunter group, we awarded $10 million to our 600+ researchers based mostly in 68 international locations.

New Sources and Enhancements

Similar to yearly, 2023 introduced a collection of adjustments and enhancements to our vulnerability reward applications:

  • By our new Bonus Awards program, we now periodically provide time-limited, additional rewards for stories to particular VRP targets.
  • We expanded our exploit reward program to Chrome and Cloud by way of the launch of v8CTF, a CTF centered on V8, the JavaScript engine that powers Chrome.
  • We launched Cellular VRP which focuses on first-party Android purposes.
  • Our new Bughunters weblog shared methods during which we make the web, as a complete, safer, and what that journey entails. Check out our ever-growing repository of posts!
  • To additional our engagement with prime safety researchers, we additionally hosted our yearly safety convention ESCAL8 in Tokyo. It included stay hacking occasions and competitions, scholar coaching with our init.g workshops, and talks from researchers and Googlers. Keep tuned for particulars on ESCAL8 2024.

As in previous years, we’re sharing our 2023 12 months in Evaluation statistics throughout all of our applications. We wish to give a particular thanks to all of our devoted researchers for his or her continued work with our applications – we look ahead to extra collaboration sooner or later!

Android and Google Gadgets

In 2023, the Android VRP achieved important milestones, reflecting our dedication to securing the Android ecosystem. We awarded over $3.4 million in rewards to researchers who uncovered outstanding vulnerabilities inside Android and elevated our most reward quantity to $15,000 for important vulnerabilities. We additionally noticed a sharpened give attention to increased severity points because of our adjustments to incentivize report high quality and growing rewards for prime and significant severity points.

Increasing our program’s scope, Put on OS has been added to this system to additional incentivize analysis in new wearable know-how to make sure customers’ security.

Working carefully with prime researchers on the ESCAL8 convention, we additionally hosted a stay hacking occasion for Put on OS and Android Automotive OS which resulted in $70,000 rewarded to researchers for locating over 20 important vulnerabilities!

We might additionally prefer to highlight the hardwear.io safety conferences. Hardwear.io gave us a platform to have interaction with prime {hardware} safety researchers who uncovered over 50 vulnerabilities in Nest, Fitbit, and Wearables, and obtained a complete of $116,000 final yr!

The Google Play Safety Reward Program continued to foster safety analysis throughout well-liked Android apps on Google Play.

An enormous thanks to the researchers who made our program so successful. A particular shout out to Zinuo Han (@ele7enxxh) of OPPO Amber Safety Lab and Yu-Cheng Lin (林禹成) (@AndroBugs) on your exhausting work and persevering with to be among the prime researchers contributing to Android VRPs!

Chrome

2023 was a yr of adjustments and experimentation for the Chrome VRP. In Chrome Milestone 116, MiraclePtr was launched throughout all Chrome platforms. This resulted in elevating the issue of discovery of absolutely exploitable non-renderer UAFs in Chrome and resulted in decrease reward quantities for MiraclePtr-protected UAFs, as extremely mitigated safety bugs. Whereas code and points protected by MiraclePtr are anticipated to be resilient to the exploitation of non-renderer UAFs, the Chrome VRP launched the MiraclePtr Bypass Reward to incentivize analysis towards discovering potential bypasses of this safety.

The Chrome VRP additionally launched the Full Chain Exploit Bonus, providing triple the usual full reward quantity for the primary Chrome full-chain exploit reported and double the usual full reward quantity for any follow-up stories. Whereas each of those massive incentives have gone unclaimed, we’re leaving the door open in 2024 for any researchers trying to tackle these challenges.

In 2023, Chrome VRP additionally launched elevated rewards for V8 bugs in older channels of Chrome, with a further bonus for bugs present earlier than M105. This resulted in just a few very impactful stories of long-existing V8 bugs, together with one report of a V8 JIT optimization bug in Chrome since at the least M91, which resulted in a $30,000 reward for that researcher.

All of this resulted in $2.1M in rewards to safety researchers for 359 distinctive stories of Chrome Browser safety bugs. We have been additionally in a position to meet a few of our prime researchers from earlier years who have been invited to take part in bugSWAT as a part of Google’s ESCAL8 occasion in Tokyo in October. We capped off the yr by publicly asserting our 2023 Prime 20 Chrome VRP reporters who obtained a bonus reward for his or her contributions.

Thanks to the Chrome VRP safety researcher group on your contributions and efforts to assist us make Chrome safer for everybody!

Generative AI

Final yr, we additionally ran a bugSWAT live-hacking occasion concentrating on LLM merchandise. Other than enjoyable, solar, and so much to do, we additionally received 35 stories, totaling greater than $87,000 – and found points like Johann, Joseph, and Kai’s “Hacking Google Bard – From Immediate Injection to Information Exfiltration” and Roni, Justin, and Joseph’s “We Hacked Google A.I. for $50,000”.

To assist AI-focused bughunters know what’s in scope and what’s not, we just lately printed our standards for bugs in AI merchandise. This standards goals to facilitate testing for conventional safety vulnerabilities in addition to dangers particular to AI programs, and is a method that we’re implementing the voluntary AI commitments that Google made on the White Home in July.

Trying Ahead

We stay dedicated to fostering collaboration, innovation, and transparency with the safety group. Our ongoing mission is to remain forward of rising threats, adapt to evolving applied sciences, and proceed to strengthen the safety posture of Google’s services and products. We look ahead to persevering with to drive larger developments on the earth of cybersecurity.

An enormous thanks to our bug hunter group for serving to to make Google merchandise and platforms extra secure and safe for our customers world wide!

Thanks to Adam Bacchus, Dirk Göhmann, Eduardo Vela, Sarah Jacobus, Amy Ressler, Martin Straka, Jan Keller, Tony Mendez.



RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments