Lateral Escalation

Lateral escalation

Lateral escalation vulnerabilities are those that require the existence of another vulnerability to be exploitable. These are also in scope of the VRP, but have lower rewards (usually one to two tiers below what it would be worth without the need of another vulnerability).

If, by mixing several lateral escalation attacks you are able to create a complete exploit chain, the panel usually awards an additional "Bug Chain Bonus" as recognition of the complexity and effort involved. For rewarding these:

• • Each bug in the chain can only be used once

  • The panel will consider revised attack scenarios and bugs to complete bug chains within a reasonable amount of time (e.g., as long as the bugs remain unfixed, or some time after a report)

For example, an XSS bug in GMail that requires another XSS in Google+ would be worth $1,337 USD. If the required XSS in Google+ is found, on top of the additional $3,133.7 USD we would issue a Bug Chain Bonus of $5,000 USD (for a total of $9,470 USD).