The Internet Bug Bounty is issuing rewards for sandbox escapes - techniques that allow vulnerabilities to escape popular application sandboxes. The specifics of these techniques will differ between implementations but typically manifest as a kernel vulnerability, broker vulnerability, or logic error.
Qualifying Application Sandboxes
- Chrome (for any sandboxed process types including renderers, Pepper Flash and NaCl)
- Internet Explorer 10 EPM
- Adobe Reader (sandboxed in X and newer)
- Adobe Flash
Qualifying Operating Systems
- Windows 7+
- Linux, latest upstream version
- OSX, latest release
- Qualifying vulnerabilities must reliably demonstrate the ability, or likely ability, to escape one of the defined sandboxes. Demonstrating full exploitation is helpful but not necessarily required to qualify.
- Implementation bugs in these sandboxes themselves are not in scope and should be reported directly to the appropriate vendor. Your submission should include why you believe the bug is external to the application itself (e.g., a kernel bug).
- The Panel is a group of your peers serving as volunteers. They have limited amount of free time to deeply investigate bugs, so they kindly request that you write clear, concise reports ideally accompanied with a working proof-of-concept. e.g., do not send unminimized raw fuzz dumps, and do send evidence that any crash is likely exploitable.
- The Panel is available to assist with the coordinated disclosure of any potential vulnerabilities. However, we recognize that we may not be the most effective avenue in all circumstances. We will gladly consider rewards for vulnerabilities that have been publicly disclosed through some other means, provided they adhered to our disclosure guidelines.
- Examples of qualifying vulnerabilities: CVE-2013-0913, CVE-2013-1300
- Minimum reward of $5,000 with significantly higher rewards granted at the Panel's discretion