And why browser security is underestimated. Bounties Reddit users agree that Google pays too low for browser security. https://tinyurl.com/y8ort2qj Let’s compare bounties for with XSS in Google services UXSS in Chrome. You report XSS in Google service and get from 3113$ to 7500$ (or even more).You report UXSS in Chrome and get 7500$ in the best case. UXSS = bypass Same-Origin-Policy Imagine, an attacker could get cookies from all pages you’ve visited, embed , and make other funny things. Beef hooks UXSS that compromises millions of Chrome users is considered at least equal to XSS in one of Google’s services. As far as I remembered, one was estimated in 13k$. Max bounty for UXSS is 7500 + 1337 for patch, assuming report includes a PoC and explanation. XSS on accounts.google.com Chrome browser installed on millions or even billions of devices isn’t as valuable for Google as their services and platforms. Just compare Google to some companies on Hackerone (e.g., Uber). Yeah, these companies than Google for vulnerabilities pay more affecting only their services&reputation and nothing more. Nobody cares about your browser Even if it sounds “crazy”, it makes sense https://tinyurl.com/y8ort2qj I hope, it’s obvious now, that browser . Google should sometimes recall that Google underestimates security Chrome has almost 65% global market share. Instead, they’re offering a big bounty ( ) for ChromeOS 100k$ which global market share is even hard to figure out ( approximately 0.5–0.6%). Note, that say that about security. but in some way. I didn’t Google doesn’t care Google cares ridiculous Chrome security team works well. Low bounties possibly could be explained by Google’s approach to rely on internal teams. However, you can check found CVEs during any Chrome release, and find out that independent researchers and project members(not employees) report many (or even most) issues. So, low bounties can’t be explained by the approach to rely on internal research only. Apple doesn’t need to help somebody hack you, because they already helped Do you remember that case, when That’s a good PR move only. Apple rejected to help FBI in bypassing Touch ID? Note: Zerodium considers Touch ID and passcode bypass as least severe vulnerabilities. Why it’s a PR move only? Because, Google Project Zero’s member (lokihardt) found (at least) during 2016 Dec — 2017 Mar. Some of them were 22 UXSS regression tests, like CVE-2017–2508. CVE-2016–6755 = CVE-2017–2508 = regression test That means, developers have that this vulnerability was patched only in Chrome, and the problem has been persisting in Safari until Project Zero found it during research. known for more than one year Another good example is . I bet that it was found or even used before Project Zero’s audit because it’s very simple to exploit compared to other vulnerabilities. CVE-2017–2364 Apple doesn’t care Let’s note that Apple doesn’t have a bug bounty program for Safari(Webkit). As opposite to Google, which has bug bounty programs, Apple probably wants from hackers to submit their research directly to “black market”. So, and news about how much about privacy and security are . Additionally, it could be proved by comparing the number of CVEs in iOS/MacOS/Webkit with CVEs in Android/Chrome in the last few years. You possibly already have seen such comparisons. all these posts Apple cares just myths Even Firefox has bug bounties for both web and browser. However, is a organization, Mozilla Foundation non-profit not a 1 trillion dollars company. Thanks for reading 😈 Github: https://github.com/Metnew Twitter: https://twitter.com/vladimir_metnew UXSSs: https://github.com/Metnew/uxss-db
