Student bug bounty discovery supports picoCTF’s cybersecurity education efforts with $462,000 gift

Seunghyun Lee, a first-year Ph.D. student in Carnegie Mellon University’s Computer Science Department, was recently conducting some routine research on Google Chrome’s source code.

Little did he know at the time that his customary research process of “fuzzing,” an automated software testing technique that involves inputting random or invalid data into a computer program and observing its behavior and output, would lead him to discover a software vulnerability that would result in a valuable bug bounty and a $462,000 gift to support cybersecurity education.

“I'm not actively looking for bug bounties,” Lee explained. “It's sort of a side effect of my research where I need to look deeper into Chrome source code and then write code based on it, which automatically leads me to these vulnerabilities.”

Many companies that develop software offer bug bounty programs to help them identify and fix security issues before malicious actors can exploit them. Vendors offer bounties to researchers, often known as “ethical hackers,” to find vulnerabilities and responsibly report them to the vendors, so their developers can secure the vulnerabilities before they become publicly known.

Through his fuzzing research, Lee discovered a faulty implementation in Google Chrome's WebAssembly type system. Subtle design issues in the WebAssembly code, including optimizing compilers, facilitated a series of bugs that led to fragile sites that could easily be exploited.

“This is what people call a renderer exploit,” Lee said. “With renderer exploits, attackers can obtain native code execution in a lower-privileged renderer process, which is the process that literally renders your website. Renderer exploits are often the first step for an attacker to gain full control over a target device by combining other bugs.”

Upon discovering the series of bugs, Lee reported them to Google via the Google Bug Hunters program. Representatives from Google triaged the vulnerability and confirmed it as a systemic issue that needed to be addressed, and one that was eligible for bounty compensation through its vulnerability reward program.

But rather than accept the bug bounty himself, Lee has generously chosen to donate it to picoCTF, Carnegie Mellon’s cybersecurity competition and learning platform that teaches middle, high school, and college students technical security skills through a capture-the-flag (CTF) competition.

“I wanted to donate the bounty to picoCTF because I started my cybersecurity career by playing CTFs as a student, solving previous challenges and ‘wargame’ challenges,” Lee said. “And I believe that was really a driving force for me to learn much more.

“picoCTF is a great platform that allows new students to get on board with cybersecurity.”

Google has matched Lee’s bounty donation to picoCTF, leading to a total gift of $462,000 for the platform, which is offered free of charge to more than 600,000 active users across the globe. The gift represents the single largest donation to picoCTF in its 12-year history.

“Seunghyun’s generous donation underscores the importance of supporting cybersecurity education by contributing to the resources we need to significantly enhance picoCTF’s ability to reach more students,” said Megan Kearns, picoCTF program director. “It empowers us to continue innovating and delivering high-quality, accessible training to the next generation of cybersecurity professionals.

"Seunghyun exemplifies the power of using your skills to uplift others and inspires us all to make meaningful contributions to the cybersecurity community.”

Lee’s goal is to continue to address these challenges through his research to help make the internet a more secure place for users. And he hopes that his gift might inspire other bug bounty hunters to contribute to picoCTF.

“When companies match these bounties, donations can be a particularly beneficial option for ethical hackers,” said Kearns.

“For most security researchers, the ultimate goal is to create a system that automatically discovers and patches these bugs,” said Lee. “We just currently lack the capabilities to do so. I want to continue to address these problems by developing a system that automatically finds exploitable bugs so that we can fix them in a timely manner.”