Security researcher Mariusz Mlynski is having a good month.
Having cashed in earlier in May to the tune of $15,500, Mlynski pocketed another $30,000 courtesy of Google’s bug bounty program after four high-severity vulnerabilities were patched in the Chrome browser, each worth $7,500 to the white-hat hacker.
On Thursday afternoon, Google pushed out Chrome version 51.0.2704.63, which included 42 security fixes and a long list of payouts via its bounty program.
Mlynski was at the top of the list, scoring big cash prizes for two separate cross-origin bypasses in Blink, a web browser engine developed as part of Google’s Chromium project. He also found cross-origin bypasses in Chrome extensions and extension bindings.
Mlynski is from Poland, and for years has been one of the dominant browser vulnerability researchers, in particular at the annual Pwn2Own contest. In 2015, he used a cross-origin bug in Firefox to gain Windows admin privileges on a machine, earning himself $55,000; in 2014 he won another $50,000 with chaining together two Firefox flaws to gain privilege escalation on a Windows machine.
Rob Wu, a student at TU/e in the Netherlands, also earned a $7,500 bounty for a cross-origin bypass in extension bindings. Wu earned four bounties, good for $13,000.
In all, Google paid out 23 bounties for Chrome bugs; the other vulnerabilities patched Thursday were found internally. The bugs that earned bounties are:
[$7500] High CVE-2016-1672: Cross-origin bypass in extension bindings. Credit to Mariusz Mlynski.
[$7500] High CVE-2016-1673: Cross-origin bypass in Blink. Credit to Mariusz Mlynski.
[$7500] High CVE-2016-1674: Cross-origin bypass in extensions. Credit to Mariusz Mlynski.
[$7500] High CVE-2016-1675: Cross-origin bypass in Blink. Credit to Mariusz Mlynski.
[$7500] High CVE-2016-1676: Cross-origin bypass in extension bindings. Credit to Rob Wu.
[$4000] Medium CVE-2016-1677: Type confusion in V8. Credit to Guang Gong of Qihoo 360.
[$3500] High CVE-2016-1678: Heap overflow in V8. Credit to Christian Holler.
[$3500] High CVE-2016-1679: Heap use-after-free in V8 bindings. Credit to Rob Wu.
[$3000] High CVE-2016-1680: Heap use-after-free in Skia. Credit to Atte Kettunen of OUSPG.
[$3000] High CVE-2016-1681: Heap overflow in PDFium. Credit to Aleksandar Nikolic of Cisco Talos.
[$1000] Medium CVE-2016-1682: CSP bypass for ServiceWorker. Credit to KingstonTime.
[$1000] Medium CVE-2016-1683: Out-of-bounds access in libxslt. Credit to Nicolas Gregoire.
[$1000] Medium CVE-2016-1684: Integer overflow in libxslt. Credit to Nicolas Gregoire.
[$1000] Medium CVE-2016-1685: Out-of-bounds read in PDFium. Credit to Ke Liu of Tencent’s Xuanwu LAB.
[$1000] Medium CVE-2016-1686: Out-of-bounds read in PDFium. Credit to Ke Liu of Tencent’s Xuanwu LAB.
[$1000] Medium CVE-2016-1687: Information leak in extensions. Credit to Rob Wu.
[$1000] Medium CVE-2016-1688: Out-of-bounds read in V8. Credit to Max Korenko.
[$1000] Medium CVE-2016-1689: Heap buffer overflow in media. Credit to Atte Kettunen of OUSPG.
[$1000] Medium CVE-2016-1690: Heap use-after-free in Autofill. Credit to Rob Wu.
[$500] Low CVE-2016-1691: Heap buffer-overflow in Skia. Credit to Atte Kettunen of OUSPG.
[$500] Low CVE-2016-1692: Limited cross-origin bypass in ServiceWorker. Credit to Til Jasper Ullrich.
[$500] Low CVE-2016-1693: HTTP Download of Software Removal Tool. Credit to Khalil Zhani.
[$500] Low CVE-2016-1694: HPKP pins removed on cache clearance. Credit to Ryan Lester and Bryant Zadegan.