Google has fixed a series of serious vulnerabilities in its Chrome OS, including three high-risk bugs that could be used for code execution on vulnerable machines. Bug bounties is the cash prizes offered by open source communities to anyone who finds key software bugs have been steadily on the rise for several years now.
As part of its reward program, Google paid out $31,336 to a researcher who found three of the vulnerabilities. Googleโs post notes: โWeโre pleased to reward Ralf-Philipp Weinmann $31,336 under the Chromium Vulnerability Rewards Program for a chain of three bugs, including demo exploit code and very detailed write-up. We are grateful to Ralf for his work to help keep our users safe.โ
The three-bug chain credited to Weinmann exploited O3D, a JavaScript API (application programming interface) designed for crafting interactive 3-D graphics-based Web applications. The API and supporting browser plug-in were created by Google, with a preliminary version of the latter released in 2009.
Vulnerabilities that Google fixed in Chrome OS 26:
Google has paid out more in various contests itโs run or co-sponsored, including $100,000 to a two-man team from MWR InfoSecurity at last monthโs Pwn2Own.
Most of the rewards are in the $1,000-$3,000 range, with some going above that, depending upon the severity of the vulnerability and difficulty of exploitation.
โThe Chromium Vulnerability Rewards Program was created to help reward the contributions of security researchers who invest their time and effort in helping us make Chromium more secure. Weโve been very pleased with the response: Googleโs various vulnerability reward programs have kept our users protected and netted more than $1 million dollars of total rewards for security researchers. Recently, weโve seen a significant drop-off in externally reported Chromium security issues.โ
Other big companies also pays bug bounties, but unlike Google, does not release the names of researchers or the payments they receive.