Less than two weeks after releasing version 6.0 of its Chrome browser, Google has pushed out another Chrome release, which includes fixes for 10 security bugs, seven of which are rated either critical or high.
Google Chrome 6.0.472.59 comes out just 12 days after the last Chrome release, which fixed 14 security bugs. As part of its bug bounty program, Google paid out $4,000 in rewards to researchers who disclosed security flaws in the browser. Most of the security flaws fixed in the new release are in the Windows version of Chrome, but the most serious bug is only in Chrome for Mac.
The critical Chrome for Mac bug is actually an old memory corruption flaw that was not fixed properly in earlier versions. Bug fix 53361 in the new version of Chrome addresses that problem on the Mac. There also is one bug fix that is just for Chrome running on Linux machines.
Most of the security bugs fixed in the new version of Chrome were found by external security researchers, although Chris Evans of Google’s security team discovered the Linux bug and Microsoft’s David Weston reported a high severity use-after-free bug that also was independently reported by another researcher.
Google in July announced that it was increasing the bug bounties it pays to researchers who disclose security vulnerabilities in Chrome, jacking up the highest reward to $3133.70. Although none of the bugs fixed in Chrome 6.0.472.59 was severe enough to qualify for the highest payout, it would seem that Google’s efforts are meeting with some early success.
While Google’s Evans and Microsoft’s Weston certainly would have privately disclosed the bugs they found in any case, there’s no way of knowing whether Google would have gotten its hands on the other flaws before they were disclosed publicly. But in the last two major releases of Chrome, Google has fixed a total of 24 security vulnerabilities in the browser, many of them rated either critical or high, and has paid out $8,133 in rewards to the researchers who reported them.
That’s a pretty small amount of money for a company the size of Google, especially when you consider the amount of value that Google is getting back in return. In addition to researchers such as Evans, Michal Zalewski and Tavis Ormandy whom Google employs in-house, the company now has quite a few outside researchers working on finding bugs in Chrome for what amounts to a very reasonable rate.
Even if Google was paying out its highest reward of $3133.70 for the majority of the reported bugs–which is unlikely to ever happen, given the criteria for that bounty–the company still would be getting good value for its investment.