Google is no stranger to paying security researchers for identifying security flaws, though until now the company has never paid out more than $3,337 per issue to any single security researcher.
With the Chrome stable 17.0.963.65 browser which was released late Sunday, Google has created a new class of security awards that changes the pay scale. For the Chrome 17.0.963.65, Google decided to single out three researchers and their respective contributions with a special award of $10,000 each. Those three researchers combined to discover and report 12 out of 13 High impact flaws fixed in the Chrome 17.0.963.65 update.
The first award is going to a researcher who uses the alias “Miaubiz” for his effort on WebKit fuzz testing. WebKit is the underling rendering engine for Chrome as well as the Apple Safari browser. In Chrome 17.0.963.65, miaubuz was credited with the discovery of eight high impact flaws, for which Google is paying him an additional $9,500 in awards. As such, miaubiz will walk away from the Chrome 17.0.963.65 release with $19,500 from Google for his efforts in reporting security flaws. Five of Miaubiz’s flaws were various use-after-free memory errors affecting multi-column handling, quote handling, class attribute handling, table section handling, and flexbox with floats.
Aki Helin of OUSP (Oulu University Secure Programming Group) also received a special $10,000 award for his fuzz testing efforts. The official bug entry in Google’s Chrome development system for Helin’s award is titled, “Aki Helin is a Legend.” Helin was also the recipient of the top previous award of $3,337 for an issue that was fixed in the first Chrome 17 stable release at the beginning of February.
In Chrome 17.0.963.65, Helin is credited with the discovery of one high impact issue related to a buffer overflow in the Chrome Skia drawing library. Google is awarding Helin $2,000 for the report, bringing his total tally for this release to $12,000.
The third special award is going to Arthur Gerkis for his efforts in “inflicting pain” on SVG. SVG is a graphics library that is used in Chrome. In Chrome 17.0.963.65, Gerkis is credited with the discovery of four high impact flaws. All of Gerkis’ flaws are use-after-free issues with SVG handling. For his Chrome 17.0.963.65 flaws, Google is award Gerkis an additional $5,000 bringing his total tally to $15,000 for the release.
“We have always reserved the right to arbitrarily reward sustained, extraordinary contributions,” Google Chrome developer Jason Kersey wrote in a blog post. “We reserve the right to do so again and reserve the right to do so on a more regular basis! Chrome has a leading reputation for security and it wouldn’t be possible without the aggressive bug hunting of the wider community.”
Google’s total payout for the Chrome 17.0.963.65 release was $48,500. While impressive, it’s still a far cry from the awards that Google is making available as part of its new Pwnium challenge. Pwnium was announced at the end of February after Google pulled out of the Pwn2own challenge. In the Pwnium challenge, Google will pay $60,000 for a full Chrome exploit and $40,000 for a partial Chrome exploit. In total, Google will allow for multiple flaws to be reported and has pledged as much as $1 million in total prize money.