803813aa3b2c1a81977146ad5b277aeb431b36ca default

Sandbox Escape

  • Bounties provided by IBB
  • $5,000
    Minimum bounty
  • 2
    Hackers thanked
  • 2
    Bugs closed

Top Hackers

Latest Thanks To

The Internet Bug Bounty is issuing rewards for sandbox escapes - techniques that allow vulnerabilities to escape popular application sandboxes. The specifics of these techniques will differ between implementations but typically manifest as a kernel vulnerability, broker vulnerability, or logic error.

Qualifying Application Sandboxes

  • Chrome (for any sandboxed process types including renderers, Pepper Flash and NaCl)
  • Internet Explorer 10 EPM
  • Adobe Reader (sandboxed in X and newer)
  • Adobe Flash

Qualifying Operating Systems

  • Windows 7+
  • Linux, latest upstream version
  • OSX, latest release

Additional Guidance

  • Qualifying vulnerabilities must reliably demonstrate the ability, or likely ability, to escape one of the defined sandboxes. Demonstrating full exploitation is helpful but not necessarily required to qualify.
  • Implementation bugs in these sandboxes themselves are not in scope and should be reported directly to the appropriate vendor. Your submission should include why you believe the bug is external to the application itself (e.g., a kernel bug).
  • The Panel is a group of your peers serving as volunteers. They have limited amount of free time to deeply investigate bugs, so they kindly request that you write clear, concise reports ideally accompanied with a working proof-of-concept. e.g., do not send unminimized raw fuzz dumps, and do send evidence that any crash is likely exploitable.
  • The Panel is available to assist with the coordinated disclosure of any potential vulnerabilities. However, we recognize that we may not be the most effective avenue in all circumstances. We will gladly consider rewards for vulnerabilities that have been publicly disclosed through some other means, provided they adhered to our disclosure guidelines.
  • Examples of qualifying vulnerabilities: CVE-2013-0913, CVE-2013-1300

Bounty Guidance

  • Minimum reward of $5,000 with significantly higher rewards granted at the Panel's discretion
The Internet Bug Bounty rewarded datuzi with a $5,000 bounty for a Sandbox Escape bug: Win32k Window Handle Vulnerability (EoP).
about 2 months ago
Sandbox Escape resolved Linux 3.4+: arbitrary write with CONFIG_X86_X32 that was submitted by pageexec.
3 months ago
Sandbox Escape resolved Win32k Window Handle Vulnerability (EoP) that was submitted by datuzi.
3 months ago
Sandbox Escape has started using HackerOne.
4 months ago