1.Introduction
Naver Corp. launches the Whale Security Bug Bounty Program to encourage security researchers in helping us to find and fix security vulnerabilities on Whale and to reward their efforts spent to make our product more safe.
2.Scope
We focus on bugs in the latest version of Whale browser
- The bugs must be reproducible on the latest version in the time of reporting
- Bugs in third party libraries used by only Whale (not Chromium) are eligible
- Bugs in synchronization are eligible
Vulnerabilities in other applications or services, including the followings, are NOT eligible.
- All of Naver web services are out-of-scope (e.g. *.naver.com, *.navercorp.com)
- Web servers communicating with built-in extensions (e.g. Papago, Belli) are out-of-scope
- URL preview spoofing in status bar is out-of-scope
3.Reward Amounts
| Vulnerability | Examples | Maximum Rewards |
|---|
| Sandbox Escape | File system access, Arbitrary external program execution | USD $7,500 |
| Remote Code Execution | Arbitrary code execution using memory corruption bugs without sandbox escape | USD $5,000 |
| Same Origin Policy Violation | Universal XSS | USD $4,000 |
| Information Leak | Arbitrary memory read | USD $2,000 |
| Protection Bypass | Bypassing malicious program download protection, Bypassing blocking malicious pages | USD $750 |
| Spoofing | Address bar spoofing, Referer spoofing | USD $500 |
| Built-in Extensions Vulnerabilities | XSS in built-in extensions | USD $500 |
| Others | | USD $500 |
- We decide the final reward amount based on quality of the report and severity of the vulnerability
- We may pay reduced reward amounts if the vulnerability requires complex user interactions
- We may pay reduced reward amounts if the vulnerability is introduced by a third party
- We can pay higher reward amounts for new class of vulnerability types or clever exploitation techniques
#4. Ineligible Submissions
We do not pay cash rewards for the following cases
- Any bugs reproducible in other Chromium-based browsers which use the same release
- Any bugs in operating systems or hardwares
- Bugs not reproducible on the latest version
- Bugs that are already reported by other participant, or aware by internal reviews
- Public bugs
- Theoretical vulnerabilities without proof of concept
- Simple crash by an assertion or Denial-of-Service (DoS) attack
- Requiring too much complex user interactions
- Vulnerabilities occured when manually disabling security features
- Bugs in experimental features (whale://flags)
- Bugs that are already reported to third parties
#5.Restrictions and Disclosure Policy
- Do not disclose the details of the vulnerability until the vulnerability is fixed and the fix is released to most users
- Do not engage in any activity that would be disruptive or damaging to other users
- Naver employees cannot participate this program
6.Reporting Bugs
Please submit your report via report page. Please give us the following information if available:
- Summary of the vulnerability
- Minimized Proof of Concept (PoC) code
- Functional exploitation code
- PoC to show exploitability (e.g. register control)
- Stack trace when crashed by the bug
- Analysis of the bug
- Attack scenario using the bug
Contact us at [email protected] if you have any question.
※ Do NOT include any vulnerability details in the email.
