Google updated its browser Thursday patching nine security bugs, labeling four as “high” and two as a “medium” risk to computer users. The update was tied to a new Chrome browser build (50.0.2661.94) that fixes the flaws.
Google also shelled out $14,000 tied to bug bounty payouts addressed in this security updates, according to a Google Chrome Team security bulletin.
Details are scant on the actual security flaws. That’s because Google says it needs to keep information about the bugs restricted until a majority of browsers are updated. “We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” it wrote.
Five Chrome bug bounty hunters split the $14,000 in rewards. Four $3,000 payments went to those that discovered “high” risk browser vulnerabilities.
Security researcher Atte Kettunen, with the University of Oulu Finland, earned $3,000 for discovering an “out-of-bounds write in Blink” vulnerability (CVE-2016-1660).
Independent security consultant Wadih Matar also earned $3,000 for his discovery of a “Memory corruption in cross-process frames” (CVE-2016-1661) security bug in Chrome. Matar earned an additional $1,000 for the “medium” security bug (CVE-2016-1664) fixing an “address bar spoofing” issue.
Rob Wu, a software science student at the Eindhoven University of Technology, also earned $3,000 for his discovery of a “use-after-free in extensions” security flaw (CVE-2016-1662) found in Chrome.
Google also paid $3,000 to an anonymous researcher that discovered a security flaw (CVE-2016-1663) that was only described as “use-after-free in Blink’s V8 bindings.”
Other bug bounty payouts went to “gksgudtjr456” who received $1,000 for a “medium” risk (CVE-2016-1665) “information leak in V8” security flaw.
Google fixed an additional three security bugs (CVE-2016-1666) that included “various fixes from internal audits, fuzzing and other initiatives.”