[Ruud-v-A]

It would be interesting to know what the nature of these bugs was, whether they are mostly memory safety issues or not.

I find it scary that for $1k one can find so many bugs in software exposed to untrusted content.

[benhawkes]

We probably should have linked to this in the post, but you can see the details of Ivan's findings on our public issue tracker: https://bugs.chromium.org/p/project-zero/issues/list?can=1&q...

As expected from DOM fuzzing there's lots of overflows, use-after-free, and type confusion issues.

[bitexploder]

I would bet they were all memory corruption related. They were using AFL to manage their test corpus. It is probably a good guess to say they were all memory corruption related. I am pretty sure the definition of bug is "unique crash". Crash means memory corruption. Probably, the only way they knew they had a bug in such a scenario is from an instrumented process crashing in the first place. I doubt they were checking for much else in terms of instrumented process behavior.