Finding issues in large complex projects is generally easier than smaller projects. More code, more bugs. But its still difficult to find serious issues on the level of a sandbox escape in Chromium just because Google's long-running reward system means lots of people have spent lots of time looking into it, both manually and using automated fuzzer tools.
Back in ye olden days of 2014 I randomly stumbled upon a Chrome issue (wasn't trying to find bugs, was just writing some JavaScript code and noticed a problem) and reported it to Google and they paid me $1,500. Not bad for like half an hour's work to report the issue.
I feel like it's the opposite. In a huge project there's bound to be many weird interactions between components, and it's about picking the important/security relevant ones and finding edge cases. In this case the focus was on the interaction between the renderer process and the broker. That forms a security boundary so it makes sense to focus your efforts there - google will pay for such exploits since they can in theory, when combined with other exploits in the renderer process, lead directly to exploits that can be triggered just by opening a web page. So, yes, chrome is a huge project but the list of security-relevant locations to probe actually isn't actually all that long. That's not to diminish the researchers work, it still takes an insane amount of skill to find these issues.
Finding a problem that deserves a bug bounty reward is a very different beast to just finding quirks.
I read from one security researchers somewhere that professionals wouldn’t find enough bug bounty worthy problems in high enough frequency to pay their bills. So they’ll sometimes treat things like this more as a supplement to promote their CV rather than as a job itself.
Finding issues in large complex projects is generally easier than smaller projects. More code, more bugs. But its still difficult to find serious issues on the level of a sandbox escape in Chromium just because Google's long-running reward system means lots of people have spent lots of time looking into it, both manually and using automated fuzzer tools.
Back in ye olden days of 2014 I randomly stumbled upon a Chrome issue (wasn't trying to find bugs, was just writing some JavaScript code and noticed a problem) and reported it to Google and they paid me $1,500. Not bad for like half an hour's work to report the issue.
https://issues.chromium.org/issues/40078754
I feel like it's the opposite. In a huge project there's bound to be many weird interactions between components, and it's about picking the important/security relevant ones and finding edge cases. In this case the focus was on the interaction between the renderer process and the broker. That forms a security boundary so it makes sense to focus your efforts there - google will pay for such exploits since they can in theory, when combined with other exploits in the renderer process, lead directly to exploits that can be triggered just by opening a web page. So, yes, chrome is a huge project but the list of security-relevant locations to probe actually isn't actually all that long. That's not to diminish the researchers work, it still takes an insane amount of skill to find these issues.
Finding a problem that deserves a bug bounty reward is a very different beast to just finding quirks.
I read from one security researchers somewhere that professionals wouldn’t find enough bug bounty worthy problems in high enough frequency to pay their bills. So they’ll sometimes treat things like this more as a supplement to promote their CV rather than as a job itself.