SerenityOS bug bounty program

Like any respectable software project, SerenityOS also runs a bug bounty program. I don't have a huge budget, but I want to reward good honest work.

I will pay $5 USD for exploitable bugs in these categories:

• Remote code execution.
• Local privilege escalation.
• Arbitrary code execution in the Browser when loading a remote web page.

Rules

• No rewards for bugs you caused yourself.
• The PoC exploit needs to work against the master branch at the time of claim.
• Max 5 bounties per person.
• No duplicates. If a bug is already reported, only the earliest reporter may claim the reward. This includes bugs found by continuous fuzzing systems.
• No rewards for bugs that require unlikely user interaction or social engineering.
• Remote bugs must be exploitable with an unmodified "default setup" of SerenityOS. Bugs in programs that are not started by default don't qualify.
• The PoC exploit needs to work on a QEMU-emulated CPU that supports SMAP, SMEP, UMIP, NX, WP, and TSD natively.
• SerenityOS always runs with assertions enabled, so you'll need to find a way around them.

Rewarded bounties will be listed here, and I will also make a video dissecting each exploit and showing what the bug was, and how I fix it.

To claim a reward, get in touch with me either on IRC (kling on Freenode) or via kling@serenityos.org

Past exploits:

• 2021-03-04: Iliad used a VLA stack overflow in the TCP implementation to smash a nearby kernel stack and become root. (Writeup and exploit)
• 2021-02-18: cees-elzinga combined a ptrace race condition with an ASLR bypass to modify /etc/passwd and become root. (Bug report and exploit)
• 2021-02-11: vakzz wrote the first-ever full chain exploit, stringing together a LibJS bug and a kernel bug to create a web page that got root access when viewed in our browser. (Writeup and exploit)
• 2020-12-22: ALLES! CTF found a kernel LPE due to missing EFLAGS validation in ptrace(). (Writeup and exploit)
• 2020-12-20: yyyyyyy found a kernel LPE due to a race condition between execve() and ptrace(). (Writeup and exploit)
• 2020-03-30: \0 claimed $5 for reporting that the documentation neglects to mention that the default anon user can use su to become root by default. Donated to "Kiwis for Kiwi" charity as per \0's request. Fixed with this commit.
• 2019-12-30: Fire30 found a kernel LPE due to bad userspace pointer validation. (Writeup and exploit)
• 2019-12-29: braindead found a kernel LPE due to a TOCTOU bug in clock_nanosleep(). (Writeup and exploit)