14 DAY TRIAL // Google dropped a new stable version of Chrome browser (42.0.2311.90), which plugs 45 security vulnerabilities costing the company at least $21,500 / €20,000 in rewards for responsible disclosure by third-party researchers.
The fresh revision is promoted to incorporate improvements and to include the "answer to life, the universe and everything," a reference to the many mathematical characteristics of number 42 and The Hitchhiker's Guide to the Galaxy.
Top bounties paid
The largest monetary reward was $7,500 / €7,000 and it was received by someone whose identity remained undisclosed, for a flaw (CVE-2015-1235) that allowed cross-origin bypass in the HTML parser included in the web browser.
Another cross-origin bypass (CVE-2015-1236), this time in Blink layout engine, was deemed by Google to be worth $4,000 / €3,750. Credited for its discovery and reporting was software developer Amitay Dobo.
Coming in third place in terms of payment is a use-after-free fault in the inter-process communication (IPC) layer discovered by Khalil Zhani, an independent security researcher from Morocco, who received $3,000 / €2,800 for reporting it.
Valued by Google at $2,000 / €1,900 is an out-of-bounds write weakness in Skia graphics engine (CVE-2015-1238), credited to cloudfuzzer.
An out-of-bounds read vulnerability in WebGL (credited to w3bd3vil) and the discovery of a tap-jacking method (Phillip Moon and Matt Weston of Sandfield Information Systems) in the mobile version of the browser have been awarded $1,000 / €950 each.
More money could be paid for outside help
Additional fixes refer to type-confusion in the V8 JavaScript engine, HSTS bypass in WebSockets, an out-of-bounds read in Blink, a use-after-free in Chrome’s PDF reader, scheme problems in OpenSearch, and bypassing the SafeBrowsing protection mechanism. The researchers reporting them have each been rewarded $500 / €470.
In a blog post announcing the new Chrome build and the vulnerability rewards, Alex Mineer from Google says that the total value of the rewards paid has not been established yet because some reports are still being processed by the reward panel.
As such, Google may end up paying more than the sum announced at the moment. Compared to the previous stable release, however, the company paid less than half for the security vulnerabilities reported, although the number was not higher by much (51 flaws were awarded $52,000 / €48,800).