Google has paid 9 researchers a total of $14,000 for finding vulnerabilities in its Chrome 9.0.597.107 browser, in preparation for next week’s Pwn2Own hacking contest. The outside researchers found 15 bugs, and Google identified four more. None of the bugs were ranked critical, but 16 of them were rated “high”, and three were rated “medium”. Google patched all 19 flaws on Monday.
About a month ago Google offered $20,000 to anyone who could escape Chrome’s “sandbox”. None of these flaws were as critical as that. They related several components, including WebGL, the hardware accelerated 3D graphics API that debuted in early February with Chrome 9; SVG (scalable vector graphics) rendering and animation; and the browser’s address bar. Nearly a quarter of them were related to Chrome’s memory allocation code.
The patched version of Chrome can be downloaded from Google’s web site, and those running Chrome will be updated automatically.
The $14,000 bounty was the second highest paid this year. The researchers who got the biggest checks were Martin Barbella with $3,000, Sergey Radchenko with $2,500 and two others with $2,000 each. Google and Mozilla, who makes Firefox, are the only browser developers who pay bounties directly to bug researchers.
Pwn2Own begins March 9th in Vancouver, BC, and Google’s $20,000 offer for breaking out of the sandbox stands for the first three days of the contest.