14 DAY TRIAL // The latest stable release of Chrome browser (41.0.2272.76) integrates no less than 51 security fixes, some of them reported by external security researchers, whom Google rewarded with a total of $52,000 / €47,000.
This is not all the money the company spent on doing away with vulnerabilities in the web browser, since some of the reports still have to be assessed through the reward panel.
These come from researchers who worked with the Chrome team during the development cycle and helped prevent the faults from reaching the stable channel, Penny MacNeil said in a blog post on Tuesday.
Rewards offered for use-after-free, out-of-bounds write and type confusion
If successfully exploited, some of the glitches have the potential to expose the users to serious risks. The highest reward currently listed ($7,500 / €6,700) went to an anonymous reporter for an out-of-bounds write glitch affecting media objects.
Three $5,000 / €4,500 bounties went to cloudfuzzer for the same class of vulnerability, but touching on the filters available in the Skia graphics library.
Google paid additional rewards ranging from $2,000 to $3,000 (€1,800 - €2,700) for vulnerabilities such as use-after-free (GIF decoder, DOM, web database and service workers), type confusion in V8 rendering engine, and integer overflow in WebGL.
The smallest reward paid this time was $500 / €450 for a code injection possibility via proxies, credited to a vulnerability hunter known as “iliwoy.”
With Pwnium dissolved, maximum reward increases
Through its Security Reward Programs, Google paid over $1,5 / €1.35 million in 2014 to third-party researchers that submitted reports for valid security flaws in its products.
On February 24, Google announced that the scope of the one-day hacking competition Pwnium would extend all through the year and that a financial restriction would no longer be imposed.
This not only gives the company the opportunity to fix glitches faster, but multiple researchers can submit their findings without the fear of better discoveries from other competitors.
The maximum payout for bug chains, however, would remain capped at $50,000 / €45,000.