High-Severity Chrome Vulnerabilities Earn Researcher $32K in Rewards

Researcher Mariusz Mlynski found and disclosed four high-severity vulnerabilities in Chrome’s Blink rendering engine, earning himself $32,000 through the Chrome Rewards program.

For the second time in less than a year, researcher Mariusz Mlynski has earned more than $30,000 through Google’s Chrome Rewards program.

Google on Wednesday released Chrome 56.0.02924.76 for Windows, Mac and Linux platforms, and Mlynski was credited with finding and disclosing four high-severity vulnerabilities that were patched.

All four were universal cross-site scripting flaws in Blink, the web browser rendering engine developed by Google’s Chromium project and used in the Chrome browser. The vulnerabilities earned Mlynski $32,337; last May, he pocketed $45,000 after finding a number of high-severity issues that were patched in the browser.

Mlynski has been a prolific browser vulnerability researcher, in particular at the annual Pwn2Own contest. In 2015, he used a cross-origin bug in Firefox to gain Windows admin privileges on a machine, earning himself $55,000; in 2014 he won another $50,000 with chaining together two Firefox flaws to gain privilege escalation on a Windows machine.

The latest version of Chrome includes patches for 51 vulnerabilities, seven of which that were rated high severity qualified for rewards. Google patched 14 high-severity bugs in total, with the remainder discovered internally.

Aside from the four Mlynski bugs, an unauthorized file access bug was found in Devtools, an out of bounds memory access issue in WebRTC, and a heap overflow in V8 were also rated high-severity and earned three researchers a collective $11,500.

Google was also expected to begin deprecating SHA-1 in this version of Chrome. In line with the other browser makers, Google said in November that it would remove support for SHA-1 certificates starting with Chrome 56; Microsoft and Mozilla have announced similar deprecation schedules through the next month. SHA-1 has long been considered a weakened hashing algorithm and susceptible to collisions attacks. Experts have been urging site owners and application developers to migrate to SHA-2 or other modern algorithms, but success on that front has been mixed.

Yesterday’s Chrome update also continues Google’s acceleration of its support for HTML5 over Adobe Flash. Starting with a slow rollout in Chrome 55, Google is expected to have enabled HTML5 support by default for half of Chrome 56 beta users.

In Chrome 56, Google also paid out rewards for eight medium-severity vulnerabilities, and six others rated low severity.

Suggested articles