Bug bounty? I think I’ve uncovered a potential attack using extensions (ddos)

[Papillon]

Is there a bug bounty program for uncovering potential flaws, bugs, or malicious use cases of extensions?

I had a realisation that extensions could be used maliciously and was initially going to do a blog post about the findings, but a fellow developer told me that sometimes you can get a reward for uncovering such information.

Obviously will go into much more detail with the right people.

So, I’m wondering who can I talk to and if such a thing exists with chrome extensions?

Thanks

[Papillon]

Is google bug hunters the correct place, specifically the “chrome vulnerability reward program”? Or something else

[Oliver Dunk]

Hi Papillon,

Chrome extensions are in scope for the Chrome bug bounty program: https://bughunters.google.com/about/rules/5745167867576320/chrome-vulnerability-reward-program-rules

There's a link there to the correct issue template which you can use to file the bug. Please do go ahead and report anything that seems relevant!

It's worth reading the entire extensions security FAQ, in your case it sounds like the section on DOS attacks may be helpful: https://chromium.googlesource.com/chromium/src/+/main/extensions/docs/security_faq.md#i_ve-found-written-an-extension-that-can-make-the-browser-unusable-once-installed-i_e_constantly-reload-pages_close-every-new-window_is-this-a-security-bug

Hope this helps,

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/48c02c85-024e-4266-8b2d-83ed9f026729n%40chromium.org.