Security Experts:

Google Awards $40,000 for Chrome Sandbox Escape Vulnerabilities

Google has paid out a total of $40,000 for a couple of vulnerabilities that can be exploited to escape Chrome’s sandbox.

Google last week announced the release of an update for Chrome 77. Chrome 77.0.3865.90 should address a total of four vulnerabilities: a critical use-after-free bug in the UI, reported by Khalil Zhani; two high-severity use-after-free bugs in the media component; and a high-severity use-after-free in offline pages, reported by Brendon Tiszka.

While Google has yet to determine how much it will award Zhani and Tiszka for their findings, the tech giant has decided to pay out $20,000 for each of the media vulnerabilities.

The flaws, tracked as CVE-2019-13688 and CVE-2019-13687, were reported to Google by Man Yue Mo of the Semmle Security Research Team.

Fermín Serna, the CSO of Semmle, told SecurityWeek that the vulnerabilities are not very useful to attackers on their own, but can be highly valuable if combined with another type of weakness.

“The two vulnerabilities require an already compromised renderer and allows breaking out of Chrome's sandbox. This means that another vulnerability is needed first for a chain to browse a website and get unsandboxed code execution. It is still very valuable to be able to bypass Chrome's mitigations,” he explained via email.

Serna says his company has asked Google to donate the $40,000 reward. Google states in the rules of its Chrome Vulnerability Reward Program that it’s prepared to double donations if researchers want to donate their reward to a registered charity.

Semmle recently also earned a $10,000 bounty from Facebook for a critical DoS vulnerability in the social media giant’s Fizz TLS library. That bounty was also donated to charity and the amount was doubled by Facebook.

The company was also credited last year for finding a critical remote code execution vulnerability in the Apache Struts 2 open source development framework.

Semmle announced its global launch in August 2018, after raising $21 million in a Series B funding round. The company offers technologies designed to help organizations find coding errors that can introduce critical vulnerabilities, and for these technologies it was recently acquired by Microsoft-owned GitHub.

Related: Google Patches Actively Exploited Chrome Vulnerability

Related: Chrome 76 Patches 43 Vulnerabilities

Related: Chrome 77 Released with 52 Security Fixes

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.