Google Doubles Down on Web Security


Google is continuing to advance the state of security by paying out bug bounties to researchers as well as debuting new efforts such as its new Root Certificate Authority (CA).

Google's Chrome browser was updated to version 56, providing patches for 51 different security vulnerabilities. For Chrome 56, Google awarded security researchers at least $54,337 in bug bounty payments for responsibly disclosing flaws in Chrome. The single largest award payment was $8,837 for a vulnerability identified as CVE-2017-5007, titled 'universal XSS in Blink.' Blink is Chrome's browser rendering engine and is based on the WebKit rendering engine that is used by Apple's Safari web browser.CVE-2017-5007 was reported by researcher Mariusz Mlynski, who is also credited with reporting three additional XSS issues, earning him a total payout of $32,337.

Overall, Google has paid out over $9 million in bug bounties since it first started a vulnerability awards program in 2010. Google awarded over $3 million in 2016 alone for bugs found across its products, including Chrome and Android.

"We created our Vulnerability Rewards Program in 2010 because researchers should be rewarded for protecting our users," Eduardo Vela Nava, Google Vulnerability Rewards Program (VRP) Technical Lead, wrote in a blog post. "Their discoveries help keep our users, and the internet at large, as safe as possible."

"The amounts we award vary, but our message to researchers does not; each one represents a sincere thank you," he added.

In addition to the security vulnerabilities fixed in Chrome 56, Google is also aiming to advance the state of security awareness. Starting with Chrome 56, the web browser now more clearly marks non-HTTPS pages that collect passwords or credit card information as being non-secure. HTTPS is used when a site has SSL/TLS (Secure Socket Layer/ Transport Layer Security) certificates in place to encrypt data in motion. Without an HTTPS connection, data is sent in the clear, meaning anyone can easily 'sniff' the data over the air or wire to steal the unencrypted information. Google's long-term plan is to eventually mark all non-HTTPS sites as being non-secure.

SSL/TLS certificates can be self-signed by a web host, thought that's an approach that is generally frowned upon as it doesn't validate authenticity. The preferred approach is for SSL/TLS certificates to be generated by a known certificate authority. Until this week, Google had been using various third party CAs, but now it is rolling out its own Root CA.

"As we look forward to the evolution of both the web and our own products, it is clear HTTPS will continue to be a foundational technology," Ryan Hurst, security and privacy engineering product manager at Google, wrote in a blog post. "This is why we have made the decision to expand our current Certificate Authority efforts to include the operation of our own Root Certificate Authority."

Hurst himself is no stranger to the CA world, having served as the CTO of GlobalSign, which is one of the largest CAs on the internet, from 2012 to 2015.

"We have established Google Trust Services (, the entity we will rely on to operate these Certificate Authorities on behalf of Google and Alphabet," Hurst said.

Sean Michael Kerner is a senior editor at eSecurityPlanet and Follow him on Twitter @TechJournalist.