Details

1.Introduction

Naver Corp. launches the Whale Security Bug Bounty Program to encourage security researchers in helping us to find and fix security vulnerabilities on Whale and to reward their efforts spent to make our product more safe.

2.Scope

We focus on bugs in the latest version of Whale browser

The bugs must be reproducible on the latest version in the time of reporting
Bugs in third party libraries used by only Whale (not Chromium) are eligible
Bugs in synchronization are eligible

Vulnerabilities in other applications or services, including the followings, are NOT eligible.

All of Naver web services are out-of-scope (e.g. *.naver.com, *.navercorp.com)
Web servers communicating with built-in extensions (e.g. Papago, Belli) are out-of-scope
URL preview spoofing in status bar is out-of-scope

3.Reward Amounts

Vulnerability	Examples	Maximum Rewards
Sandbox Escape	File system access, Arbitrary external program execution	USD $7,500
Remote Code Execution	Arbitrary code execution using memory corruption bugs without sandbox escape	USD $5,000
Same Origin Policy Violation	Universal XSS	USD $4,000
Information Leak	Arbitrary memory read	USD $2,000
Protection Bypass	Bypassing malicious program download protection, Bypassing blocking malicious pages	USD $750
Spoofing	Address bar spoofing, Referer spoofing	USD $500
Built-in Extensions Vulnerabilities	XSS in built-in extensions	USD $500
Others		USD $500

We decide the final reward amount based on quality of the report and severity of the vulnerability
We may pay reduced reward amounts if the vulnerability requires complex user interactions
We may pay reduced reward amounts if the vulnerability is introduced by a third party
We can pay higher reward amounts for new class of vulnerability types or clever exploitation techniques

#4. Ineligible Submissions
We do not pay cash rewards for the following cases

Any bugs reproducible in other Chromium-based browsers which use the same release
Any bugs in operating systems or hardwares
Bugs not reproducible on the latest version
Bugs that are already reported by other participant, or aware by internal reviews
Public bugs
Theoretical vulnerabilities without proof of concept
Simple crash by an assertion or Denial-of-Service (DoS) attack
Requiring too much complex user interactions
Vulnerabilities occured when manually disabling security features
Bugs in experimental features (whale://flags)
Bugs that are already reported to third parties

#5.Restrictions and Disclosure Policy

Do not disclose the details of the vulnerability until the vulnerability is fixed and the fix is released to most users
Do not engage in any activity that would be disruptive or damaging to other users
Naver employees cannot participate this program

6.Reporting Bugs

Please submit your report via report page. Please give us the following information if available:

Summary of the vulnerability
Minimized Proof of Concept (PoC) code
Functional exploitation code
PoC to show exploitability (e.g. register control)
Stack trace when crashed by the bug
Analysis of the bug
Attack scenario using the bug
Contact us at [email protected] if you have any question.

※ Do NOT include any vulnerability details in the email.

2.Scope

We focus on bugs in the latest version of Whale browser

The bugs must be reproducible on the latest version in the time of reporting

Bugs in third party libraries used by only Whale (not Chromium) are eligible

Bugs in synchronization are eligible

Vulnerabilities in other applications or services, including the followings, are NOT eligible.

All of Naver web services are out-of-scope (e.g. *.naver.com, *.navercorp.com)

Web servers communicating with built-in extensions (e.g. Papago, Belli) are out-of-scope

URL preview spoofing in status bar is out-of-scope

3.Reward Amounts

Vulnerability	Examples	Maximum Rewards
Sandbox Escape	File system access, Arbitrary external program execution	USD $7,500
Remote Code Execution	Arbitrary code execution using memory corruption bugs without sandbox escape	USD $5,000
Same Origin Policy Violation	Universal XSS	USD $4,000
Information Leak	Arbitrary memory read	USD $2,000
Protection Bypass	Bypassing malicious program download protection, Bypassing blocking malicious pages	USD $750
Spoofing	Address bar spoofing, Referer spoofing	USD $500
Built-in Extensions Vulnerabilities	XSS in built-in extensions	USD $500
Others		USD $500

We decide the final reward amount based on quality of the report and severity of the vulnerability

We may pay reduced reward amounts if the vulnerability requires complex user interactions

We may pay reduced reward amounts if the vulnerability is introduced by a third party

We can pay higher reward amounts for new class of vulnerability types or clever exploitation techniques

#4. Ineligible Submissions
We do not pay cash rewards for the following cases

Any bugs reproducible in other Chromium-based browsers which use the same release

Any bugs in operating systems or hardwares

Bugs not reproducible on the latest version

Bugs that are already reported by other participant, or aware by internal reviews

Public bugs

Theoretical vulnerabilities without proof of concept

Simple crash by an assertion or Denial-of-Service (DoS) attack

Requiring too much complex user interactions

Vulnerabilities occured when manually disabling security features

Bugs in experimental features (whale://flags)

Bugs that are already reported to third parties

#5.Restrictions and Disclosure Policy

Do not disclose the details of the vulnerability until the vulnerability is fixed and the fix is released to most users

Do not engage in any activity that would be disruptive or damaging to other users

Naver employees cannot participate this program

6.Reporting Bugs

Please submit your report via report page. Please give us the following information if available:

Summary of the vulnerability

Minimized Proof of Concept (PoC) code

Functional exploitation code

PoC to show exploitability (e.g. register control)

Stack trace when crashed by the bug

Analysis of the bug

Attack scenario using the bug
Contact us at [email protected] if you have any question.

※ Do NOT include any vulnerability details in the email.

Naver Whale

Naver Whale

Details

1.Introduction

2.Scope

3.Reward Amounts

6.Reporting Bugs

1.Introduction

2.Scope

3.Reward Amounts

6.Reporting Bugs