Skip to main content

Google pays out $14K in bounties for Chrome bugs

Google has released an updated version of its Chrome browser and Chrome OS web-based operating system, and has also revealed just how much money its cash-for-bugs Chromium Security Rewards programme has shelled out.

The programme, which Google launched last year, sees 'security researchers' encouraged to report vulnerabilities in Chrome, Chromium, and Chrome OS directly to Google in exchange for a cash reward - given either directly to the researcher or to a charity of their choice.

In this latest release, which sees the stable version of Chrome updated to version 8.0.552.237 on all supported platforms and Chrome OS updated to version 8.0.552.334, Google has shelled out a total of more than $14,000 to researchers who found sixteen security vulnerabilities rated at medium importance or higher.

The star of this release, however, is undoubtedly Sergey Glazunov, who has become the first person to receive Google's 'elite' reward of $1,333.70 for the discovery of a stale pointer vulnerability in Chromium's speech handling code, which the company rated as a critical flaw.

Glazunov also discovered another critical flaw, related to the bad handling of pointers in the node iteration code, netting him another $1,337 payout - topped up with three other vulnerabilities earning him $1,000 each.

Details on many of the flaws solved by this latest release are being kept private by Google until such a time as the majority of users have been updated and protected against exploitation - something that the Google Chrome browser handles automatically, checking for new versions each time the browser is loaded.