Thursday, August 16, 2012
Google offers bigger bucks in Chrome bug hunt
Believing the easy security holes have already been found, Google is adding new financial incentives for outside bug hunters.
Google's program to pay outsiders who find Chrome security vulnerabilities is working well enough that the company has concluded it's time to add new financial rewards. "Recently, we've seen a significant drop-off in externally reported Chromium security issues," Chrome programmer Chris Evans said in a blog post yesterday. "This signals to us that bugs are becoming harder to find, as the efforts of the wider community have made Chromium significantly stronger."
Thus, Google added a new $1,000 bonus on top of the regular incentive in three circumstances. The bonus applies if vulnerability is "particularly exploitable" and comes with a demonstration; if it's in an open-source software library used beyond just Chrome; or if the vulnerability is in a stable area of Chrome that Google thought had been already picked clean of bugs. Google so far has paid more than $1 million for finding Chrome security holes, most notably one $60,000 payment to Sergey Glazunov and another to "PinkiePie."
Those vulnerabilities were uncovered in Pwnium, a Google contest to find working exploits in Chrome. Google announced up to $2 million in awards for Pwnium 2. Also yesterday, Google released Chrome 21.0.1180.79 for Mac, Linux, Windows and Chrome Frame to fix vulnerability in Adobe Systems' Flash Player, which is built directly into Chrome.
The vulnerability apparently wasn't a mere idea, but rather an actual attack mechanism, according to Adobe. "There are reports that the vulnerability is being exploited in the wild in limited targeted attacks, distributed through a malicious [Microsoft] Word document. The exploit targets the ActiveX version of Flash Player for Internet Explorer on Windows," Adobe said.
by Stephen Shankland