Statement on "HXP CTF Chrome 0day bug"

Martin Radev (sisu), July 21st 2023

This is a statement by Martin Radev (sisu, ex-HXP CTF team member) on the issue of handling the discovered Chromium 0day during the HXP CTF in 2023.

I would like to first apologize for the caused inconvenience and think I could have handled the disclosure better:

I would like to thank Leonardo for discovering the bug during the CTF. Leonardo discovered himself a 0day bug in Chrome Linux affecting millions of users.

I would like to emphasize that my reporting of the bug in 2 weeks was in fact late, and that Leonardo or I should have reported it within a few days. We both strive to be security experts, knew it was a 0day in Chrome Linux and I believe we both understood the severity. Extending the CTF rule system to streamline reporting of discovered 0days during CTFs will help prevent future mishaps.

I don't believe there was any malicious behavior by either Leonardo or me. I miscommunicated for reasons, bug was reported late by Leonardo for reasons. Sometimes life gets in your way.

I would also like to thank the Chrome engineering team for providing an initial fix promptly, and for the Chrome VRP team providing a reward for the report.

The Chrome VRP program exists to incentivize responsible bug reporting and to support bug hunting efforts. Information on Google's vulnerability disclosure policies can be found here, and information on the Chrome Vulnerability Reward Program can be found here. My personal view is that comprehensive write-ups and "Proof-of-concept exploits" stray away from such bounty programs, and that bug finders should focus their energy on reporting the issue and working with developers on fixing it. PoC exploits can be developed in parallel to developers fixing the issue, and a comprehensive write-up can be written later and published after the bug is made public.

This statement features reasoning and timeline from my perspective, and may differ from that of other relevant participants. I don't have access to HXP chat communication and the timeline spans many months, so exact dates and words may be fuzzy.

July-November (fuzzy), 2022

Martin looks into ANGLE+SwiftShader with goal of making a CTF "zaj" challenge.

Martin finds and triages an ES31 bug in personal time.

Martin knows bug is exploitable.

Martin thinks the bug is not a 0day bug in Chrome.

Martin is a previous ANGLE contributor (2016-2017) and has high confidence in his analysis.

Martin prepares the "shadertoy_plus_plus" challenge: a ANGLE+SwiftShader compute shader service which CTF teams need to exploit.

Martin considers this and other Compute Shader-specific bugs to be easy to find, and that they would not apply to Chrome.

December 27, 2022

Martin reports compute shader bug to Chrome via https://crbug.com/1403728.

Jan 11, 2023

Chrome engineers agree on crbug issue is not applicable to Chrome.

Martin thinks timing and no severity perfectly aligns with having this as challenge and expected solution for HXP CTF 2022 (done in 2023).

March 11th-March 12th, 2023

Leonardo solves challenge "shadertoy_plus_plus" in HXP CTF 2022 through another bug.

Leonardo reaches out to HXP during the CTF on irc to ask if the solution is intended.

Martin roughly at this time checks Leonardo's solution from collected network packet traffic, suspects it will be applicable to Chrome Linux and does a quick check on his personal browser.

Martin shares immediately with Leonardo over irc that Leonardo's finding is a 0day in Chrome Linux.

Martin requests Leonardo to report bug to Chrome because this is a severe issue.

Martin shares with HXP team that "team copy" found a Chrome Linux 0day.

March 26th, 2023

Martin is a bit worried about this bug: "team copy" knows and has repro, HXP team knows and has repro, other participating teams have the shadertoy_plus_plus challenge and may find it.

Martin wants to ensure bug is fixed knowing it's a 0day in latest Chrome Linux, considers two weeks is enough time for "team copy" to report it, wants to move on from already finished HXP CTF.

Martin reports issue to Chrome via https://crbug.com/1427865.

Martin states in the report: "I did not discover the bug", "I'm not 100% sure it was reported to the chromium team, so I wanted to be safe.", "member of team COPY found a 0day bug", "This report is to ensure it gets handled in case team COPY has not yet reported it."

Martin should have taken more steps to find out who "team copy" is. Martin did a google search for "copy ctf team" but didn't investigate further, which was a mistake.

Martin considered things could be handled later with "team copy".

Martin considered it is his responsibility to ensure bug is reported and fixed.

March 27th, 2023

Martin states on bug "Could you please check if this bug is not a duplicate of any other reported bug?". "As shared, the issue was discovered by a participating team in our CTF"

Martin finds out from crbug that there is no duplicate, which could mean "team copy" has not reported the issue.

Martin shares in the HXP team chat room of his surprise, that "team copy" did not report the bug.

Rest of HXP members assumed Martin obtained this information by contacting "team copy" directly, because rest of HXP members know "team copy" is actually "0rganizers".

April 8th-April 25th, 2023

Martin finds out a reward is given for the reported bug.

Martin receives 10'000 USD in his bank account.

Martin didn't provide bank details to Google, and did not fill-in additional forms.

Possibly Google had Martin's bank details from Google CTF 2020 write-up rewards.

Around April, 2023

Martin shares with one HXP member the existence of a bounty and asks on the person's opinion.

Martin shares that he would give "team copy" a percentage when bug is public.

Martin should have anticipated the possibility of rapid public escalations soon after bug is made public considering there is a bounty.

Martin does not try to seek out "team copy" or "Leonardo", but should have.

HXP team does not know the bounty size.

June, 2023

Leonardo reports bug through his employer (third party) to Chrome after developing a Proof-of-Concept exploit and write-up.

Martin was not aware of the report.

July 5th (late evening), 2023

The bug is made public on July 5th 20:38 EEST, and shared as tweet at 22:12 EEST

CTF community discovers https://crbug.com/1427865 after made public, and disagrees how it was handled by Martin.

Leonardo sends personal email to Martin to explain his surprise, shares some information on his side and his unmet expectations.

Leonardo shares he has reported the issue through his employer (third party) in June, which has delayed the report.

July 6th (morning), 2023

In the morning, Martin sees email from Leonardo, briefly explains to Leonardo his views and proposes to share the bounty with him.

Martin shares with Leonardo that reporting after 3 months is questionable.

Martin does not understand the involvement of Leonardo's employer: it's a CTF and issue is found in free time.

Martin shares with Leonardo that Martin needs to consult the tax office. Martin should have elaborated that Martin needs to pay income tax over bounty because the reward is considered income.

Martin should have explicitly shared that transferring all 10'000 USD now could incur a loss of a few thousands to Martin due to owed taxes.

Martin asks Leonardo "Want to make a proposal how much you think you deserve in this situation?" (This should have been expressed in a better way).

Martin assures he will stay in touch over this.

July 6th, 2023

CTF community and relevant actors from "team copy" share perspectives on social media (twitter and discord) without knowledge of ongoing communication among relevant parties.

Martin finds out through other HXP team members of the discord CTF community and their public discontent, joins the discord channel and shares his views.

July 6th, 2023

HXP team members are aware of ongoing communication between Leonardo and Martin.

A few online fellow HXP members prepare a public statement and ask Martin to read it.

Martin reads it, disagrees with many points, but gives green light for HXP to post it.

The online HXP members and Martin wanted to reduce escalations.

Martin thanks HXP and leaves team by his own decision.

July 7th, 2023

Leonardo sends email to Martin with request: full amount (10'000 USD) be given to Leonardo or Google and requests "proper credit on the Chrome side".

Martin sends email to Leonardo with proposed next steps and requests clarifications on Leonardo's expectations.

Martin contacts Chrome VRP to help understand options on meeting Leonardo's expectations.

Leonardo is checking next steps with his employer (third party).

July 8th, 2023

Martin contacts HXP to review original statement. Few members of HXP agree timeline is accurate.

Martin contacts Leonardo to review original statement. Comment on statement is not possible due to conflicts with third parties.

July 10th, 2023

Google VRP share statement on public bug.

July 10th-15th, 2023

Leonardo and Martin continue checking with third parties on resolving the issue.

July 18, 2023

Chrome VRP share a statement on the bug regarding attribution: Apple SEAR is attributed for finding the bug, sisu from HXP for creating the challenge and reporting the bug, and Team HXP for organizing the CTF.

July 21, 2023

Martin makes minor adjustments to statement, publishes it and shares it with CTF community.

Sept 23, 2023

Martin donates full amount to University of Helsinki's Global Scholarship Fund.

At this point, credit is given for finding the bug but resolving the money still remains.

Leonardo and I are still exploring a good way to make use of the reward. Once finalized, information will be shared here.

The full bounty was donated to University of Helsinki's Global Scholarship Fund to support their International students.
All parties consider the issue of HXP CTF Chrome 0day bug to be resolved.

I still want to finish this on a positive note:

Martin Radev

Changelist: