Chrome 28 Blinks

Google pays researcher record $21,500 for reporting bugs in sync service

Google on Tuesday released Chrome 28, the first polished version of the browser to use the company's home-grown "Blink" rendering engine.

On Windows, the upgrade also sported Google's new notification service that lets developers of Chrome apps and add-ons display messages and alerts outside the browser window.

The upgrade was the first since May 21, when Google shipped Chrome 27 and touted some minor performance improvements.

Google announced in April that it was dropping the open-source WebKit browser engine -- at the time also used only by Apple's Safari -- and was instead launching Blink, a WebKit variant, to power Chrome. Since then, Opera Software's Opera has also adopted WebKit as an interim step before it eventually moves to Blink.

Google cited difficulties in adapting WebKit to Chrome, and in the first weeks after the announcement, stripped copious amounts of unnecessary-for-Chrome code from the fork that became Blink.

Previously, only the rougher "Dev" and "Beta" builds of Chrome relied on the Blink engine. Users can verify that Blink is present by typing chrome://version/ in the Chrome address-search bar, dubbed the "Omnibox."

Also included in Chrome 28 is new support for more sophisticated notifications that appear outside the browser pane and display even when the browser's not running. "Packaged apps" -- über-Web apps that look and behave like "native" code written specifically for the underlying OS -- and add-ons can push brief messages and alerts to Chrome users after their developers have enabled the feature.

Only the Windows version of Chrome 28 currently supports these next-generation notifications, but Google promised that the feature would soon make its way to OS X and Linux. On a Mac, Chrome notifications are not integrated with OS X Mountain Lion's Notification Center.

Along with the debut of Blink and notifications, Chrome 28 contained patches for 15 security vulnerabilities, one of them rated "critical," Google's most serious threat ranking. According to Google's terse security advisory, that flaw was a memory management bug -- dubbed a "use-after-free" vulnerability -- in the browser's network sockets code.

But while Colin Payne, who reported the bug, received an impressive reward of $6,267.40, another researcher was handed triple that.

Andrey Labunets was paid a record $21,500 for filing several vulnerability reports, including two in the Google synchronization service and an unknown number of others that Google said were "...since-fixed server-side bugs."

That last phrase and the amount paid were clues that Labunets discovered one or more flaws in a core Google service. In April, Google boosted bounties for vulnerability reports in its core websites, services and online apps, resetting the top reward to $20,000 for remote code executable bugs, those that attackers could use to slip malicious code onto a server or into an app or site.

Labunets is no stranger to large bug bounties. Earlier this year, after reporting a string of weaknesses in Facebook's authentication protocol, Labunets was awarded $9,500 by the social networking giant.

Altogether, Google this week paid bounties totaling $34,901 to six researchers, including Payne and Labunets, for reporting eight different bugs. Through Tuesday, the Mountain View, Calif., company has awarded nearly $250,000 thus far this year in bounties or hacking contest prizes.

Users can download Chrome 28 from Google's website. Active users can simply let the automatic updater retrieve the new version.

This article, Chrome 28 Blinks, was originally published at Computerworld.com.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Copyright © 2013 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon