Google has released version 8.0.552.237 of its Chrome browser, which includes fixes for 16 security vulnerabilities. The company also paid out more than $14,000 in bug bounties for the flaws fixed in this release, including the first maximum reward of $3133.7.
The new version of Google Chrome has fixes for 13 high-priority bugs, but the most serious vulnerability the company repaired in the browser is a critical flaw resulting from a stale pointer in the speech handling component of Chrome. That flaw, along with four others, was discovered by researcher Sergey Glazunov, who earned a total of more than $7,000 in rewards for the bugs he reported to Google.
“We’re delighted to offer our first “elite” $3133.7 Chromium Security Reward to Sergey Glazunov. Critical bugs are harder to come by in Chrome, but Sergey has done it. Sergey also collects a $1337 reward and several other rewards at the same time, so congratulations Sergey!,” Google said in its release notes for Chrome.
Google has said that the top payment in its program is typically going to be reserved for critical bugs that break out of the sandbox in Chrome.
It’s been nearly a year since Google started the bug bounty program for researchers. The company announced last February that it would begin paying researchers for bugs in Chromium that are reported directly to Google. At the time, the base reward was $500 and the top payment was $1337, and the program only applied to flaws found in Chromium or Chrome. The company has expanded the program since then to apply to its Web properties and also has upped the top payment for vulnerabilities to $3133.7.
Google’s program has attracted quite a bit of attention and many researchers have benefited from the payments the company doles out. Since its inception last year, Google has paid out tens of thousands of dollars in rewards. Google’s program followed on the heels of one started earlier by Mozilla and the two companies have gone back and forth on bug prices, raising the bounties from time to time.
Currently, Google’s reward of $3133.7 is the highest payment from a vendor, with Mozilla paying a maximum amount of $3,000. Other companies have followed suit in the bug bounty game, with Barracuda Networks launching a similar program in November.