Security

Chrome tarnished by Glazunov again

Leave a comment

Sergey Glazunov, a university student in Russia, has been recognised by Google many times with special awards as well as cash for reporting Chrome security bugs since they started their program in January 2010. Here are his awards from just one version changelog last year:

  • [$1337] [65764] High Bad pointer handling in node iteration. Credit to Sergey Glazunov.
  • [$1000] [66560] High Stale pointer with CSS + canvas. Credit to Sergey Glazunov.
  • [$1000] [68178] High Bad cast in anchor handling. Credit to Sergey Glazunov.
  • [$1000] [68181] High Bad cast in video handling. Credit to Sergey Glazunov.
  • [$3133.7] [68666] Critical Stale pointer in speech handling. Credit to Sergey Glazunov.

ChromeIncluding the above list he has earned $3,133.7 (eleet) twice, $2,500 three times, $2,337 three times, $2,000 twice, $1,337 (leet) five times, $1,000 thirty-six times, and $500 once ($67,963.4 total).

He was the first to win the “3133.7” level award. Now he has won the $60,000 purse for finding a full exploit during the Google Pwnium competition.

Economists might be tempted to ponder whether a researcher would keep a higher exploit until offered the higher purse, or whether a higher purse gives incentive to find a higher exploit. $60,000 for one exploit instead of $67,963.4 for fifty-two exploits is a study in incentives but also brings up the cost of handling/defending one flaw versus fifty-two.

Updated March 9 to add: Another young man has proven a full exploit in Chrome. This other person said the bug was easy to find, but unlike Glasunov he found it hard to get the attention of Google. Wired just ran a story that references the point I make above about Glazunov’s experience.

[Glasunov] is one of Google’s most prolific bug finders and earned around $70,000 for previous bugs he’s found under the company’s year-round bug bounty program. As such, he’s very familiar with the Chrome code base.

I saw no reference anywhere to the totals won by Glazunov before I wrote this post. I would have waited if I had known Wired would add it up and run it in a story, instead of spending time compiling the data myself.

More important to this story, however, is a comparison of the researchers. Wired doesn’t do much analysis on their motives. Wired seems to also hint that Pinkie Pie is a relative newcomer compared to Glazunov but I think that’s a mistake. The big difference I see is that Glazunov uses his real name, as a student, and regularly submits his bugs while the other wants to remain anonymous and has asked for a job from Google but otherwise has been reluctant to submit his research for public verification.

The tall teen, who asked to be identified only by his handle “Pinkie Pie” because his employer did not authorize his activity, spent just a week and a half to find the vulnerabilities and craft the exploit, achieving stability only in the last hours of the contest.

[…]

Pinkie Pie, wearing shorts, a t-shirt and glasses, said he’d never submitted a vulnerability report to Google before, but he had sent his resume to the company last year seeking a job. He wrote in his cover note that he could crack Chrome on OSX, but he never got a reply.

Claiming in a cover letter that you can crack Chrome on OSX but that you haven’t submitted them yet for verification is a passive method at best. The hiring department probably gets a lot of letters with unsubstantiated claims so it’s understandable that they waited for more proof instead of jumping on it. However, I also see why Pinkie Pie might have choosen to make a claim instead of proof when applying for the job. Submitting an exploit for a $60,000 purse is an opportunity to win simply upon verification, whereas submitting for a job is a far riskier option that can lead to rejection and far less money, even after verification.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.