Google pays $2,000 for report of a vulnerability in Chrome
Google has paid out its highest sum yet, $2,000, for the discovery of a vulnerability found in its Chrome browser. The recipient is developer Sergey Glazunov, who found a DOM method-related means of circumventing the same origin policy. Details of the vulnerability are not yet publicly available, but it is likely that it could allow a web page to access content from other web pages. Google classifies the risk as high. Update 5.0.375.70 for Windows, Mac and Linux resolves the problem.
The update also fixes a further 10 vulnerabilities, eight of which are classified critical. Two of the vulnerabilities were discovered by Apple – both Chrome and Apple's Safari being WebKit based. An update for Safari which fixed 48 vulnerabilities was released yesterday. One of the vulnerabilities in Chrome affects only the Linux version and enables escape from the sandbox.
As part of its Chromium Security Reward programme, launched earlier this year, Google has been rewarding those reporting security vulnerabilities with $500. In special cases, a committee can decide to increase the amount to a maximum of $1,337, but the maximum is only awarded for vulnerabilities which are particularly critical, or for particularly clever reports on vulnerabilities and their exploitation. Google is hoping that this will improve the security of its browser and therefore the security of its users. It's not clear why Google raised the sum to $2,000 in this case.
- Apple's Safari updates address 48 security vulnerabilities, a report from The H.
- Google releases Chrome 5.0 for Windows, Mac OS X & Linux, a report from The H.
- Google invites attacks on Chrome, a report from The H.