Ormandy’s win is Amnesty International’s windfall
Google hacker Tavis Ormandy and security firm Bromium have handed Amnesty International US$30,000 (£20,443, AU$40,242) in bug bounty cash awarded after the former broke the latter’s security controls.
Ormandy donated his US$15,000 (£$10,214, A$20,104) winnings under Bromium’s hacking challenge, in which researchers were invited to brew malware capable of defeating its end point portection.
Ormandy (of Google Project Zero) defeated and escaped the company’s sandbox, exposing an avenue for potential remote compromise.
Bromium donated a further US$15,000 to Amnesty International.
The charity known for its work in human rights, child poverty, and freedom thanked the hacker for his donation.
Bromium co-founder Simon Crosby hoped the charity model would catch on the industry, but described it as “a bit like a visit to the proctologist”.
bromium have made first donation to @amnesty for the host escape I reported, matching donation on way soon! Awesome! pic.twitter.com/W6qU9azCDY
— Tavis Ormandy (@taviso) June 20, 2016
“We think it’s important to hold security vendors accountable: Ditch marketing BS in favor of defensible design and rigorous evaluation,” Crosby says.
“And though we were surprised when Tavis Ormandy of Google claimed he had identified two bugs that let him escape micro-VM isolation, I was quietly rather pleased.
“… as an acknowledgement of his sheer professionalism and as testament to his awesome white-hattery, I have personally matched the Bromium award with a donation in Tavis’s honour.”
Ormandy worked with the company over a week to validate and help patch the sandbox escapes.
Bromium will now work to set up a formal bug bounty. ®
Sponsored: Rise of the machines