Google has now paid out $58,000 in flaw finds for its Chrome 17 browser, a substantial sum for a stable build but peanuts for a company ready to pay $1 million in bounties over the next few days.
Chrome 17 has
proven to be quite expensive for Google (NASDAQ:GOOG). The search giant on
March 4 said it just paid $47,500 in bug bounties and bonuses to reward researchers
who helped find flaws in the browser's stable channel update.
That's a substantial hike from the stable build's initial
Feb. 8, when Google paid $10,500 to researchers who found 20
flaws of various severity. The company has now paid out $58,000 for security
issues related to Chrome 17, easily the most expensive browser launch from the
update17.0.963.65fixes several issues, including cursors, plug-ins and
backgrounds that fail to load and Websites that break when touch controls are
used. Google also included the latest Adobe Flash player 11.1 build.
paid $10,000 apiece for three special bugs. Showing its sense of humor, the
Chrome security team described the flaws as "excessive Webkit
fzzing," an "awesome variety of fuzz targets," and
"significant pain inflicted upon" Scalable Vector Graphics (SVG).
The team also
explained why it paid $10,000 at a time when it pays roughly $1,000 for an
average bug detection.
always reserved the right to arbitrarily reward sustained, extraordinary
contributions," wrote Jason Kersey of the Chrome Security team
in a corporate blog post. "In this instance, we're dropping a surprise
bonus. We reserve the right to do so again and reserve the right to do so on a
more regular basis!"
In addition to
the $30,000 for the three special bugs, Google also paid $17,500 for 14 more
flaws, most of which were of the "use after free" persuasion.
has paid more than $700,000 to researchers who have detected hundreds of bugs
in its Chrome browser since the company launched the program in January 2010.
That number is
set to more than double at CanSecWest in Vancouver, B.C., where Google will
offer up to $1 million in rewards for Chrome exploits at the Pwn2Own hacking
contest this week.
include $60,000 for a full Chrome exploit covering user account persistence
using only bugs in Chrome.
Google is offering $40,000 for partial Chrome exploits
persistence using at least one bug in Chrome itself, and
other bugs, such as a WebKit bug, combined with a Windows sandbox bug. The
company is further paying $20,000 for consolation awards.