Google Pays Big Bug Bounties in Chrome 40 Fix

Google is out with its first stable Chrome browser update of 2015, with security vulnerabilities fixes topping the list of improvements in the new release. In total, Google is patching 62 different security flaws in the update.

In contrast, Microsoft has yet to provide a single security patch for its Internet Explorer browser in 2015, while Mozilla’s Firefox 35 had nine security advisories attached to it.

Of the 62 flaws, 26 were reported to Google by external security researchers. For their efforts, Google is paying out $53,500 in bug bounties for the 26 flaws and an additional $35,000 in awards for security vulnerabilities fixed in the Chrome pre-stable development process.

As part of its Chromium Security Award program, Google has been rewarding researchers for reporting flaws in Chrome since 2010. Initially the top award was $1,337 but Google has been steadily increasing its awards, with the top single award standing at $15,000 as of Sept. 30, 2014.

Big Bug Bounties

For Chrome 40 specifically, the top award was a $5,000 payout to a security researcher identified only as “yangdingning,” for a memory corruption flaw identified as CVE-2014-7923. The researcher earned an additional $4,000 for identifying a second memory corruption issue, CVE-2014-7926.

While yangdingning was awarded the top dollar amount for a vulnerability, other researchers ended up collecting more from Google, by reporting a higher volume of patched flaws in Chrome 40. Most notably, a researcher working under the alias “cloudfuzzer” was awarded $12,000 for reporting six different flaws. All of the flaws reported by cloudfuzzer are various forms of memory abuse vulnerabilities.

Security researcher Christian Holler was awarded $7,000 by Google for CVE-2014-7927 and CVE-2014-7928, both of which are memory curruption issues in Chrome’s V8 JavaScript engine. Atte Kettunen of OUSPG (Oulu University Secure Programming Group) is also well represented in the Chrome 40 award listing, earning $6,500 for five different flaws, including CVE-2014-7932, CVE-2014-7937, CVE-2014-7938, CVE-2014-7941 and CVE-2014-7943.

Among the interesting flaw fixes in Chrome 40 are security vulnerabilities in how the browser handles fonts. Kettunen is credited with the discovery of CVE-2014-7938, a memory corruption in Fonts, and a security researcher known as “miaubiz” found CVE02914-7941, which is an uninitialized value in Fonts vulnerability.

In its release announcement for Chrome 40, Google noted that many of the bugs fixed in the release were detected using AddressSanitizer or MemorySanitizer. Both AddressSanitizer and MemorySanitizer are open source tools built by Google to help detect uninitialized and potentially corrupted memory usage.

Sean Michael Kerner is a senior editor at eSecurityPlanet and Follow him on Twitter @TechJournalist.

Sean Michael Kerner
Sean Michael Kerner
Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

Top Products

Related articles