Google pays $10,000 to fix 10 high-risk Chrome flaws

Google pays $10,000 to fix 10 high-risk Chrome flaws

Summary: Google has shelled out more than $10,000 in bounties for the latest batch of high-risk security vulnerabilities in its Chrome browser.

SHARE:
TOPICS: Google, Security
14

Google has shelled out more than $10,000 in bounties for the latest batch of high-risk security vulnerabilities in its Chrome browser.

The company released Google Chrome 5.0.375.127 with patches for 9 security holes and a workaround for a Windows kernel bug, paying $10,011 in rewards to the hackers who reported the issues.

The update is available for Windows, Mac and Linux.

[ Microsoft: No plans to pay for security vulnerabilities ]

Here are the details from Google's Jason Kersey:follow Ryan Naraine on twitter

  • [$1337] [45400] Critical Memory corruption with file dialog. Credit to Sergey Glazunov.
  • [$500] [49596] High Memory corruption with SVGs. Credit to wushi of team509.
  • [$500] [49628] High Bad cast with text editing. Credit to wushi of team509.
  • [$1000] [49964] High Possible address bar spoofing with history bug. Credit to Mike Taylor.
  • [$2000] [50515] [51835] High Memory corruption in MIME type handling. Credit to Sergey Glazunov.
  • [$1337] [50553] Critical Crash on shutdown due to notifications bug. Credit to Sergey Glazunov.
  • [51146] Medium Stop omnibox autosuggest if the user might be about to type a password. Credit to Robert Hansen.
  • [$1000] [51654] High Memory corruption with Ruby support. Credit to kuzzcc.
  • [$1000] [51670] High Memory corruption with Geolocation support. Credit to kuzzcc.

An additional $1337 was paid to Marc Schoenefeld for helping with a security workaround for a Windows kernel bug [51070].

Google and Mozilla pay bounties for security vulnerabilities in its products.  Microsoft says it has no plans to pay hackers for reporting security problems.

ALSO SEE: No more free bugs.

Topics: Google, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

14 comments
Log in or register to join the discussion
  • At least Google isn't a cheap data mining spy

    They give back a little when they aren't taking. Wake up MS!
    klumper
    • They don't have to...

      @klumper Microsoft has legions looking for vulnerabilities in their software - why should they pay for people to do what others do for free? Google has to pay people to get more eyes on their product and at the same time get the marketing boost that comes with this. Don't confuse this with anything but a marketing ploy by Google to help push the idea that Chrome is the most secure browser platform (and OS, etc...) out there.
      s_southern
      • Rigth On!

        @s_southern Paying people to find security flaws and send you the fixes which you release before they are exploited is absolutely idiotic. Much better to have people in the wild find flaws, email them to you, ignore them, bad mouth them for releasing them to the public 30, 60, 90 days after you've done nothing on them, and then scramble deliver an out-of-band patch when thousands of computers are infected. Even better, let the cyber criminals pay folks to find the zero-day flaws, that way we can identify them faster as they get exploited. Now there's a genius business plan!
        GabeFree
      • RE: Google pays $10,000 to fix 10 high-risk Chrome flaws

        @s_southern

        Yes, "legions" looking for bugs--and not always finding them first.

        Monetizable knowledge finds its way to where the money is. Knowledge of profound browser security bugs is highly monetizable. The only way to hurt the economics of the security-bug black market is to create a white market for that knowledge. Sunlit employment for security-bug finders, of which offering and paying bounties for bugs is one form, is key to creating and maintaining that white market.

        Entities that act otherwise have undereducated staff. Acting out one's undereducatedness as arrogance is acting out resistance to learning.
        TriangleDoor
  • Very well done, Google.

    Thank you for doing it right.

    Others please note that we are not having zero-days here, and that we are not having irresponsible, self-promoting nuisance disclosure.

    Narr vi
    Narr vi
    • RE: Google pays $10,000 to fix 10 high-risk Chrome flaws

      @Narr vi Hello, This is really good. <a href="http://www.protopage.com/ways-to-make-money-from-home">Ways to make money from home</a>,<a href="http://www.protopage.com/food-lovers-fat-loss-system">Food lovers fat loss system</a>,<a href="http://www.protopage.com/dotties-weight-loss-zone">Dotties Weight Loss Zone</a>
      Jack19801
      • RE: Google pays $10,000 to fix 10 high-risk Chrome flaws

        @Jack19801 Thanks for sharing. i really appreciate it that you shared with us such a informative post..
        <a href="http://www.olwauniversity.com/programs/certificate-programs/certificate-programs.asp">undergraduate course certificates</a> <a href="http://www.olwauniversity.com/schools-and-majors/business-and-management.asp">Business management degree</a> <a href="http://www.olwauniversity.com/schools-and-majors/criminal-justice.asp">online criminal justice degree</a>
        disturbforce
      • RE: Google pays $10,000 to fix 10 high-risk Chrome flaws

        @Jack19801 The difference between the right word and the almost right word is really a large matter ? it's the difference between a lightning bug and the lightning.
        <a href="http://www.olwauniversity.com/schools-and-majors/health-sciences.asp">Online health science degree</a> <a href="http://www.olwauniversity.com/schools-and-majors/computer-science.asp">online computer degree</a>
        disturbforce
  • Only $10K?

    What did Google pay to create those flaws?
    dogbreath1
    • Seems cheap to me too.

      @dogbreath1 I'm 100% certain that I'm perfectly capable of creating flaws (even better ones at that) for far less than I'm sure they spent. If anyone at Google (or MS) want's to contract me, I'm all ears.
      GabeFree
  • RE: Google pays $10,000 to fix 10 high-risk Chrome flaws

    Good work by all and Sergey Glazunov now has some pocket money.
    Agnostic_OS
  • RE: Google pays $10,000 to fix 10 high-risk Chrome flaws

    NOW, maybe if they could JUST make the Google bar work with Google Chrome? Thats a no brainer! DUH
    tekwrite
  • RE: Google pays $10,000 to fix 10 high-risk Chrome flaws

    Funny how a couple of them got the lEET amount :P
    pool7
    • RE: Google pays $10,000 to fix 10 high-risk Chrome flaws

      @pool7 :) Good spot :)
      Steve__Jobs