Safe to run, doesn't install anything or run the payload. Just a demonstration

Thanks for the report!

The .crdownload temporary file is intentionally kept since it's possible the user would want to recover it from the chrome://downloads UI.  This is a feature, and WAI.

The renaming you do in concept.cpp requires a second executable to be download and run, which is out of scope of the VRP program.

Hi, thank you for the quick response!

If we can accomplish the same process from a Chrome Extension, resulting in a blacklisted download landed on disk, will it qualify?

Also, if we have an exe file that is allowed to be downloaded through Chrome (not blocked) that can change Chrome's homepage, would this be eligible? Thank you

For #3: If you have a by-pass method that meets the posted VRP criteria and uses a common extension, please do submit it (separate bug).  A custom extension would likely not qualify, since it would be flagged separately as a policy violation.

for #4: No, an exe's behaviour is not a criterion for the VRP.

Thanks and I hope you enjoy the rest of your day

You say an exe's behavior is not a criteria, but it indicates on this page that it is. https://www.google.com/about/appsecurity/chrome-rewards/index.html#rewards That's why I chose to submit this.

You should change some wording on that page:
"Any gestures required must be likely and reasonable for most users. As a guide, execution with more than three reasonable user gestures (eg: click to download, open .zip, launch .exe) is unlikely to qualify, but it’ll be judged on a case-by-case basis. The user can’t be expected to bypass warnings."

Thanks again!

To be clear, the behaviour of the executable once running isn't a criteria.  Doesn't matter if it changes your homepage, or plays tetris.

Thanks for all of your time. I am trying to understand this for my next submission. Which criteria did I not meet?
The end user must only click to download and run the exe and a blacklisted executable is landed. It includes binaries in the criteria below. My submission appears to meet the following criteria:


Q: Can I have more details about the Download Protection bypass rewards?

A: Sure! Here are all of the qualifying rules you need to consider:

Safe Browsing must be enabled on Chrome and have an up-to-date database (this may take up to a few hours after a new Chrome install).
Safe Browsing servers must be reachable on the network.
Binary must land in a location a user is likely to execute it (e.g. Downloads folder).
The user can’t be asked to change the file extension or recover it from the blocked download list.
Any gestures required must be likely and reasonable for most users. As a guide, execution with more than three reasonable user gestures (eg: click to download, open .zip, launch .exe) is unlikely to qualify, but it’ll be judged on a case-by-case basis. The user can’t be expected to bypass warnings.
The download should not send a Download Protection Ping back to Safe Browsing. Download Protection Pings can be measured by checking increments to counters at chrome://histograms/SBClientDownload.CheckDownloadStats. If a counter increments, a check was successfully sent (with exception to counter #7, which counts checks that were not sent).
The binary’s hosting domain and any signature can not be on a whitelist. You can measure this by checking chrome://histograms/SBClientDownload.SignedOrWhitelistedDownload does not increment.

Since your exmaple requires the user to download and run your concept.exe, I assume that would generate a Download Protection Ping (you can verify).  So that would be seen by Safe Browsing, and thus it doesn't not qualify for the VRP.  Your example also requires two downloads -- one for the blacklisted file, and one for the not-yet blacklisted file.

For all Download Protection VRP bugs: removing label Restrict-View-Google and adding Restrict-View-SecurityTeam instead.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot