麻豆村

Seunghyun Lee, a first-year Ph.D. student in 麻豆村鈥檚 , was recently conducting some routine research on Google Chrome鈥檚 source code.

Little did he know at the time that his customary research process of 鈥渇uzzing,鈥� an automated software testing technique that involves inputting random or invalid data into a computer program and observing its behavior and output, would lead him to discover a vulnerability in the browser鈥檚 code that would result in a valuable bug bounty and a $462,000 gift to support cybersecurity education.

鈥淚'm not actively looking for bug bounties,鈥� Seunghyun explains. 鈥淚t's sort of a side effect of my research where I need to look deeper into Chrome source code and then write code based on it, which automatically leads me to these vulnerabilities.鈥�

Many companies that develop software offer bug bounty programs to help them identify and fix security issues before malicious actors can exploit them. Vendors offer bounties to researchers, often known as 鈥渆thical hackers,鈥� to find vulnerabilities and responsibly report them to the vendors, so their developers can secure the vulnerabilities before they become publicly known.

Through his fuzzing research, Seunghyun discovered a faulty implementation in Google Chrome's WebAssembly type system. Subtle design issues in the WebAssembly code, including optimizing compilers, facilitated a series of bugs that led to fragile sites that could easily be exploited.

鈥淭his is what people call a renderer exploit,鈥� Seunghyun says. 鈥淲ith renderer exploits, attackers can obtain native code execution in a lower-privileged renderer process, which is the process that literally renders your website. Renderer exploits are often the first step for an attacker to gain full control over a target device by combining other bugs.鈥�

Upon discovering the series of bugs, Seunghyun reported them to Google via the Google Bug Hunters program. Representatives from Google triaged the vulnerability and confirmed it as a systemic issue that needed to be addressed, and one that was eligible for bounty compensation through its vulnerability reward program.

But rather than accept the bug bounty himself, Seunghyun has chosen to donate it to picoCTF, Carnegie Mellon鈥檚 cybersecurity competition and learning platform that teaches middle, high school, and college students technical security skills through a capture-the-flag (CTF) competition.

鈥淚 wanted to donate the bounty to picoCTF because I started my cybersecurity career by playing CTFs as a student, solving previous challenges and 鈥榳argame鈥� challenges,鈥� Seunghyun says. 鈥淎nd I believe that was really a driving force for me to learn much more.

鈥減icoCTF is a great platform that allows new students to get on board with cybersecurity,鈥� he adds.

Google has matched Seunghyun鈥檚 bounty donation to picoCTF, leading to a total gift of $462,000 for the platform, which is offered free of charge to more than 600,000 active users across the globe. The gift is the single largest donation to picoCTF in its 12-year history.

鈥淪eunghyun鈥檚 generous donation underscores the importance of supporting cybersecurity education by contributing to the resources we need to significantly enhance picoCTF鈥檚 ability to reach more students,鈥� says Megan Kearns, picoCTF program director. 鈥淚t empowers us to continue innovating and delivering high-quality, accessible training to the next generation of cybersecurity professionals.鈥�

鈥淪eunghyun exemplifies the power of using your skills to uplift others and inspires us all to make meaningful contributions to the cybersecurity community.鈥�

Seunghyun鈥檚 goal is to continue to address these challenges through his research to help make the internet a more secure place for users. And he hopes that his gift might inspire other bug bounty hunters to contribute to picoCTF.

鈥淲hen companies match these bounties, donations can be a particularly beneficial option for ethical hackers,鈥� Megan says.

鈥淔or most security researchers, the ultimate goal is to create a system that automatically discovers and patches these bugs,鈥� Seunghyun says. 鈥淲e just currently lack the capabilities to do so. I want to continue to address these problems by developing a system that automatically finds exploitable bugs so that we can fix them in a timely manner.鈥�