Chrome 17 has proven to be quite expensive for Google
(NASDAQ:GOOG). The search engine giant paid an March 4 said it just paid $47,500 in bug bounties and bonuses to
reward researchers who helped find flaws in the browser’s stable channel
That’s a substantial hike from the stable build’s first past Feb. 8, when Google paid $10,500 to
researchers who found 20 flaws of various severity. The company has now paid
out $58,000 for security issues related to Chrome 17, easily the most expensive
browser launch from the company.
The latest update — 17.0.963.65 — fixes several issues,
including cursors, plugins and backgrounds that fail to load and Websites that
break when touch controls are used. Google also included the latest Adobe Flash
player 11.1 build.
Google also paid $10,000 apiece for three special bugs.
Showing its sense of humor, the Chrome security team described the flaws as “excessive
Webkit fzzing,” an “awesome variety of fuzz targets,” and
“significant pain inflicted upon” Scalable Vector Graphics (SVG).
The team also explained why it paid $10,000 at a time
when it pays roughly $1,000 for an average bug detection.
“We have always reserved the right to arbitrarily
reward sustained, extraordinary contributions,” wrote Jason Kersey, of the Chrome Security team, in a corporate blog post. “In this instance, we’re
dropping a surprise bonus. We reserve the right to do so again and reserve the
right to do so on a more regular basis!”
In addition to the $30,000 for the 3 special bugs, Google
also paid $17,500 for 14 more flaws, most of which were of the “use after
Google has paid more than $700,000 to researchers who
have detected hundreds of bugs in its Chrome browser since the company launched
the program in January 2010.
That number is set to more than double at
CanSecWest in Vancouver, where Google will offer up to $1 million in rewards for
Chrome exploits at the Pwn2Own hacking contest this week.
Google is offering $40,000 for partial Chrome exploits covering persistence
using at least one bug in Chrome itself, and other bugs, such as a WebKit bug
combined with a Windows sandbox bug. The company is further paying $20,000 for