Google pays bounty for bug fixes

Gregg Keizer
7 March, 2012
View more articles fromthe author

Google yesterday patched 14 vulnerabilities in Chrome and handed out a record US$47,500 in rewards to researchers, including US$30,000 for “sustained, extraordinary” contributions to its bug-reporting program.

The record checks were cut just two days before Google will put up to US$1 million on the line at CanSecWest, a security conference set to kick off Tuesday and run through Thursday.

Sunday’s security update to Chrome 17 was the second for that version since it launched Feb. 8. All 14 of the vulnerabilities patched yesterday were labeled “high,” Google’s second-most-serious threat ranking. Ten of the bugs were tagged as “use-after-free” memory management vulnerabilities, a common type of bug reported by researchers, who continue to use Google’s own memory error detection tool, AddressSanitiser, to sniff out flaws.

While the 14 bugs reported by four outside researchers earned them US$17,500 in bounty payments, Google also rewarded three of them with surprise bonuses of US$10,000 each for what it said was “sustained, extraordinary” work. The three bonuses went to researchers Aki Helin and Arthur Gerkis and to someone identified as “miaubiz.” All three reported vulnerabilities that Google patched Sunday. They also have been among the most prolific researchers for Google.

In 2011, for example, miaubiz earned more than US$40,000 in bounties, while Helin took home US$7,500 and Gerkis received US$4,000.

“To determine the [US$10,000] rewards, we looked at bug finding performance over the past few months,” said Jason Kersey, a Chrome program manager, in a Sunday blog. “We have always reserved the right to arbitrarily reward sustained, extraordinary contributions. We reserve the right to do so again and reserve the right to do so on a more regular basis!”

So far this year, Google has paid nearly US$73,000 to outside researchers. It could lay out a lot more than that this week at CanSecWest, the Vancouver, British Columbia, security conference that opens tomorrow.

Last week, Google withdrew its sponsorship of the annual Pwn2Own hacking contest at CanSecWest and instead said it would offer up to $1 million in cash prises to researchers who demonstrate exploits of unknown Chrome vulnerabilities.

Google will pay US$60,000 for what it called a “full Chrome exploit” – one that successfully hacks Chrome on Windows 7 using only vulnerabilities in Chrome itself – US$40,000 for every partial exploit that uses one bug within Chrome and one or more in other software and US$20,000 for “consolation” exploits that hack Chrome without using any vulnerabilities in the browser. The company has promised to pay out as much as US$1 million, assuming it has that many takers.

Also included with Sunday’s Chrome 17 was an update to Adobe Flash Player. Google again beat Adobe to the punch on delivering a Flash upgrade; Adobe is issuing a security update today that fixes two critical flaws in the popular media software. Adobe credited two members of Google’s security team, Tavis Ormandy and Fermin Serna, with reporting the Flash bugs.

Sunday’s update to Chrome 17 can be downloaded for Windows, Mac OS X and Linux from Google’s website. Users running the browser will be updated automatically through its silent service.


One Comment

One person was compelled to have their say. We encourage you to do the same..

  1. Sarah says:

    This seems like a great way for Google to figure out the bugs and flaws in its Chrome platform. It’s probably more effective to hold this contest and drive competitive spirit, rather than shifting the efforts of the company’s own teams. Furthermore, it gets tech savvy bug hunters interested in Google Chrome, and shows the public that Google cares about the security of its browser.

    Mosaic Technology

Leave a Comment

Please keep your comments friendly on the topic.

Contact us