Google said on Thursday that it patched ten security holes in its Chrome Web browser. The company also paid out more than $10,000 in bounties to security researchers who reported the holes.
The updates, released as Chrome 5.0.375.127, include fixes for two critical vulnerabilities and a work around for another critical vulnerability in a third party component that affects Chrome, according to a post on the Chrome blog by team member Jason Kersey.
The critical holes include a memory corruption hole within the Chrome file dialog and a bug in the notifications feature that would crash Chrome during shutdown.
Google defines critical security holes as those that “allow an attacker to run arbitrary code with the user’s privileges in the normal course of browsing.” Of the remaining holes that were patched, seven were rated “High” severity, defined as holes that lets an attacker “read or modify confidential data belonging to other Web sites.” One was a “Medium” severity hole.
In July, Google announced changes in its remuneration for security researchers who find holes in the company’s products. The maximum payout for a single bug was increased to $3,133.70, based on the severity of the hole and the amount of research done to find and analyze it. The minimum payment staying flat at $500. None of the patched holes carried the new maximum reward.
Google’s move followed a similar announcement from Mozilla, which increased its bounty for security holes to $3,000 as part of its six year-old bug bounty program. However, security researchers have argued that software vendors are still underpaying for security holes in their products, with governments and private contractors – as well as the cyber criminal underground – paying much higher prices for information on critical, remotely exploitable holes.