Google Chrome 17 Bug Hunt Nets Researchers $47,500
Chrome 17 has proven to be quite expensive for Google (NASDAQ:GOOG). The search giant on March 4 said it just paid $47,500 in bug bounties and bonuses to reward researchers who helped find flaws in the browser's stable channel update.
That's a substantial hike from the stable build's initial launch Feb. 8, when Google paid $10,500 to researchers who found 20 flaws of various severity. The company has now paid out $58,000 for security issues related to Chrome 17, easily the most expensive browser launch from the company.
The latest update17.0.963.65fixes several issues, including cursors, plug-ins and backgrounds that fail to load and Websites that break when touch controls are used. Google also included the latest Adobe Flash player 11.1 build.
Google also paid $10,000 apiece for three special bugs. Showing its sense of humor, the Chrome security team described the flaws as "excessive Webkit fzzing," an "awesome variety of fuzz targets," and "significant pain inflicted upon" Scalable Vector Graphics (SVG).
The team also explained why it paid $10,000 at a time when it pays roughly $1,000 for an average bug detection.
"We have always reserved the right to arbitrarily reward sustained, extraordinary contributions," wrote Jason Kersey of the Chrome Security team, in a corporate blog post. "In this instance, we're dropping a surprise bonus. We reserve the right to do so again and reserve the right to do so on a more regular basis!"
In addition to the $30,000 for the three special bugs, Google also paid $17,500 for 14 more flaws, most of which were of the "use after free" persuasion.
Google has paid more than $700,000 to researchers who have detected hundreds of bugs in its Chrome browser since the company launched the program in January 2010.
That number is set to more than double at CanSecWest in Vancouver, B.C., where Google will offer up to $1 million in rewards for Chrome exploits at the Pwn2Own hacking contest this week.
The payouts include $60,000 for a full Chrome exploit covering user account persistence using only bugs in Chrome.
Google is offering $40,000 for partial Chrome exploits covering persistence using at least one bug in Chrome itself, and other bugs, such as a WebKit bug, combined with a Windows sandbox bug. The company is further paying $20,000 for consolation awards.