(ARCHIVE) SerenityOS bug bounty program :^)
Note: This program is no longer in effect. Thank you everyone who participated!
Like any respectable software project, SerenityOS
also runs a bug bounty program.
I don't have a huge budget, but I want to reward good honest work.
I will pay $50 USD for exploitable bugs in these categories:
- Remote code execution.
- Local privilege escalation.
- Arbitrary code execution in the Browser when loading a remote web page.
Rules
- No rewards for bugs you caused yourself.
- The PoC exploit needs to work against the master branch at the time of claim.
- Max 3 bounties per person.
- No duplicates. If a bug is already reported, only the earliest reporter may claim the reward. This includes bugs found by continuous fuzzing systems.
- No rewards for bugs that require unlikely user interaction or social engineering.
- Remote bugs must be exploitable with an unmodified "default setup" of SerenityOS. Bugs in programs that are not started by default don't qualify.
- The PoC exploit needs to work on a QEMU-emulated CPU that supports SMAP, SMEP, UMIP, NX, WP, and TSD natively.
- SerenityOS always runs with assertions enabled, so you'll need to find a way around them.
To claim a reward, get in touch with me either on the SerenityOS Discord (awesomekling) or via kling@serenityos.org. (And even if you are not interested in the reward, I'd still like to hear about any exploits!)
Past exploits:
- 2021-03-04: Iliad used a VLA stack overflow in the TCP implementation to smash a nearby kernel stack and become root. (Writeup and exploit)
- 2021-02-18: cees-elzinga combined a ptrace race condition with an ASLR bypass to modify
/etc/passwd
and become root. (Bug report and exploit)
- 2021-02-11: vakzz wrote the first-ever full chain exploit, stringing together a LibJS bug and a kernel bug to create a web page that got root access when viewed in our browser. (Writeup and exploit)
- 2020-12-22: ALLES! CTF found a kernel LPE due to missing EFLAGS validation in
ptrace()
. (Writeup and exploit)
- 2020-12-20: yyyyyyy found a kernel LPE due to a race condition between
execve()
and ptrace()
. (Writeup and exploit)
- 2020-03-30: \0 claimed $5 for reporting that the documentation neglects to mention that the default anon user can use
su
to become root by default. Donated to "Kiwis for Kiwi" charity as per \0's request. Fixed with this commit.
- 2019-12-30: Fire30 found a kernel LPE due to bad userspace pointer validation. (Writeup and exploit)
- 2019-12-29: braindead found a kernel LPE due to a TOCTOU bug in
clock_nanosleep()
. (Writeup and exploit)