Who wants to join a Linux kernel debugging discord? discord.gg/fZn5dYnAU2
Specifically, the idea is to have an informal place to collaborate on syzkaller reports. We're drowning in them and there isn't really a suitable place to debug together in real time.
Conversation
Replying to
Note: Google VRP is paying generously for linux kernel patches, even patches that are already found by their syzkaller instance! Wanna earn a quick buck? Go fix some of the bugs! :)
1
6
25
Can you define "generously"? Genuinely curious. What limitations on the versions? Are missing -stable vulnerability fixes in scope?
1
1
I believe it really depends on the impact of the bug. Though you may find more info on google.com/about/appsecur . I believe can enlighten you more about this :)
2
4
Patch rewards is for proactive hardening, not so much fixing vulnerabilities.
From what I've seen, it's a lot harder to get money from patch rewards than from spending far less work reporting vulnerabilities with a basic proof of concept showing it's accessible / exploitable.
Yes, that was my understanding too. Hence why I was interested in examples of paying out for fixing known syzkaller reports :)
Months of work trying to land a security feature in the Linux kernel could get you $1337 from patch rewards vs. spending a week finding low hanging memory corruption bugs in privileged components like kernel drivers and get an easy $40000+ from Android Rewards.
1
2
5
Also, look at the those reward amounts on google.com/about/appsecur if you actually provide qualifying exploit chains.
The incentive is absolutely not working on proactive mitigations at all. If you care at all about getting money from bounties, that's a really bad use of time.
1
4