14 DAY TRIAL // External security researchers who contributed to Chrome browser’s increased security received $38,337 / €34,550 from Google for responsible disclosure of bugs fixed in version 43 of the browser.
The list of vulnerabilities addressed by the developers is 37 entries long, and six of them are marked as having a high severity risk.
Not all high severity risks were paid
The highest paid glitch was a sandbox escape, now identified as CVE-2015-1252, reported by a researcher who chose to remain anonymous, and who received a bounty of $16,337 / €14,700.
A cross-origin bypass in DOM (Document Object Model), tracked as CVE-2015-1253, is next on the payment ladder, deemed by Google to be worth a $7,500 / €6,750 check, also awarded to someone preferring to keep their identity secret; it could be that the two bugs were reported by one person, but there is no information to support this theory.
Another high severity issue (CVE-2015-1251) was disclosed by SkyLined working with HP's Zero Day Initiative, who discovered a use-after-free in the Speech component in Chrome, responsible for translating the audio commands from the user. However, in this case there was no monetary recognition.
The list of the most severe security flaws is completed with three more entries, two use-after-free (in SVG and WebAudio) and another cross-origin bypass in the browser’s Editing component. The last two were rewarded with $3,000 / €2,700 each, while the first one received $2,000 / €1,800.
External contribution helped plug holes before the stable channel
The rest of the problems are considered of medium and low severity and received rewards between $500 / €450 and $1,500 / €1,350.
Apart from that, Google is also paying individuals closer to the development team who helped prevent security bugs from slipping into the stable channel of the browser.
As such, the sum of money invested in the security of Chrome is higher than the figure published in the release announcement on Tuesday.
Receiving the new update does not entail any effort from the user, as the process is carried out automatically and the modifications will be applied once the browser is restarted.