Google patches 14 Chrome bugs, pays record $47K in bounties and bonuses
And it ships updated Flash Player before Adobe gets fixes into others' hands
Computerworld - Google yesterday patched 14 vulnerabilities in Chrome and handed out a record $47,500 in rewards to researchers, including $30,000 for "sustained, extraordinary" contributions to its bug-reporting program.
The record checks were cut just two days before Google will put up to $1 million on the line at CanSecWest, a security conference set to kick off Tuesday and run through Thursday.
Sunday's security update to Chrome 17 was the second for that version since it launched Feb. 8.
All 14 of the vulnerabilities patched yesterday were labeled "high," Google's second-most-serious threat ranking.
Ten of the bugs were tagged as "use-after-free" memory management vulnerabilities, a common type of bug reported by researchers, who continue to use Google's own memory error detection tool, AddressSanitizer, to sniff out flaws.
While the 14 bugs reported by four outside researchers earned them $17,500 in bounty payments, Google also rewarded three of them with surprise bonuses of $10,000 each for what it said was "sustained, extraordinary" work.
The three bonuses went to researchers Aki Helin and Arthur Gerkis, and to someone identified as "miaubiz." All three reported vulnerabilities that Google patched Sunday.
They also have been among the most prolific researchers for Google.
In 2011, for example, miaubiz earned more than $40,000 in bounties, while Helin took home $7,500 and Gerkis received $4,000.
"To determine the [$10,000] rewards, we looked at bug finding performance over the past few months," said Jason Kersey, a Chrome program manager, in a Sunday blog. "We have always reserved the right to arbitrarily reward sustained, extraordinary contributions. We reserve the right to do so again and reserve the right to do so on a more regular basis!"
So far this year, Google has paid nearly $73,000 to outside researchers.
It could lay out a lot more than that this week at CanSecWest, the Vancouver, British Columbia, security conference that opens tomorrow.
Last week, Google withdrew its sponsorship of the annual Pwn2Own hacking contest at CanSecWest, and instead said it would offer up to $1 million in cash prizes to researchers who demonstrate exploits of unknown Chrome vulnerabilities.
Google will pay $60,000 for what it called a "full Chrome exploit" -- one that successfully hacks Chrome on Windows 7 using only vulnerabilities in Chrome itself -- $40,000 for every partial exploit that uses one bug within Chrome and one or more in other software, and $20,000 for "consolation" exploits that hack Chrome without using any vulnerabilities in the browser.
The company has promised to pay out as much as $1 million, assuming it has that many takers.
Also included with Sunday's Chrome 17 was an update to Adobe Flash Player. Google again beat Adobe to the punch on delivering a Flash upgrade; Adobe is issuing a security update today that fixes two critical flaws in the popular media software.
Adobe credited two members of Google's security team, Tavis Ormandy and Fermin Serna, with reporting the Flash bugs.
Sunday's update to Chrome 17 can be downloaded for Windows, Mac OS X and Linux from Google's website. Users running the browser will be updated automatically through its silent service.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
- Google reverses field, promises to restore Chrome's scrollbar arrows
- Update: Google ships Chrome 33, patches 28 bugs
- Mozilla's top exec defends in-Firefox ads, revenue search
- Mozilla taps in-Firefox ads as it searches for more revenue
- Mozilla ships Metro Firefox beta for Windows 8
- Mozilla defers Firefox's new 'Australis' UI to April
- Mozilla resets Metro Firefox ship date to mid-March
- Mozilla ships Firefox 26 with opening click-to-play move
- Mozilla banked $274M in '12 from Google-Firefox search deal
- Google trumpets Chrome's SPDY gains
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts