Google Pays $3,133.7 To Researcher For Squishing Bug In Chrome

It seems that Google is very keen to squish bugs in its Chrome browser; so much so in fact that, according to Infoworld, it has paid one researcher $3,133.7 for finding a single bug. Researcher Sergey Glazunov discovered a flaw related to "stale pointer in speech handling." This apparently affects the code in the application which handles allocation of RAM. Google's Chrome programming manager, Jason Kersey, had this to say:

"We’re delighted to offer our first “elite” $3,133 Chromium Security Reward to Sergey Glazunov. Critical bugs are harder to come by in Chrome, but Sergey has done it. Sergey also collects a $1337 reward and several other rewards at the same time, so congratulations Sergey!"

This is the first time that a critical bug has been discovered since Google launched the scheme in December of last year. According to Infoworld, all in all, Google paid Glazunov $7,470, and a total of $14,000 to various researchers including Glazunov.

The browser currently has a 10% share of the market in terms of users, so security is a key priority for Google, as attacks and malware become ever more sophisticated. Google plans to continue the program for the foreseeable future as it provides a key incentive for independent researchers such as Glazunov.

The latest version of Google Chrome can be downloaded from here or via the automatic updates function.

Report a problem with article
Previous Story

Europe's Galileo system increases its budget by €1.9bn

Next Story

Amazon buys out LOVEFiLM media rental in $312m deal

32 Comments

Commenting is disabled on this article.

did they pay them or did he ask money before fixing it?
Big difference and google can say whatever they say to the press. All the fanboys believe it anyway.

nifke said,
did they pay them or did he ask money before fixing it?
Big difference and google can say whatever they say to the press. All the fanboys believe it anyway.

You should read a little more next time, the article included that information. It's a standing program Google has (and was linked to in the article), which offers cash for fixing bugs.

WJrandon said,
Three thousand dollars is not a impressive figure considering the amount of cash Google has on hand.

yes, they should fork over 1 TRILLION DOLLARS! *raises pinkie to corner of mouth*

WJrandon said,
Three thousand dollars is not a impressive figure considering the amount of cash Google has on hand.

Just because they have mountains of cash they should fork out silly figures for bug discovery for a product they give away free?

Outstanding logic, Sir!

WJrandon said,
Three thousand dollars is not a impressive figure considering the amount of cash Google has on hand.

r u for real???? its good money for a bug.

It's a double edged sword. It can be argued that IE has the advantage of security through obscurity, whereas anyone looking to aim an attack at a webkit browser (or Firefox, which is also FOSS) can just scan the source code for weaknesses.

The Protagonist said,
isn't open source such a wonderful thing, this is what makes chrome a good browser IMO its open to anyone unlike IE...

In fact, if I ever had to work on a project, between closed and open source, I'd choose closed source hands down. Both have their advantages and disadvantages.

IMO closed-source is better just because everything is uniform and so easy to work with. For this reason, upgrading a closed-source app is much easier and faster. Open-source, on the other hand, is much harder to work with, but has its lot of functionality and growing ideas over closed-source.

That being said, in the case of Chrome and IE, don't get me wrong, amongst all, IE is the worst browser since the last 5 years. Since Chrome relies on Apple's engine, which was at the point of release the most advanced, it's obvious it can only be better.

PyX said,

In fact, if I ever had to work on a project, between closed and open source, I'd choose closed source hands down. Both have their advantages and disadvantages.

IMO closed-source is better just because everything is uniform and so easy to work with. For this reason, upgrading a closed-source app is much easier and faster. Open-source, on the other hand, is much harder to work with, but has its lot of functionality and growing ideas over closed-source.

That being said, in the case of Chrome and IE, don't get me wrong, amongst all, IE is the worst browser since the last 5 years. Since Chrome relies on Apple's engine, which was at the point of release the most advanced, it's obvious it can only be better.

Yeah that's why I write code that doesn't work in closed source. Because they think "oh I have more security through closing my source code" or "I made something unique that no one as ever thought of" (sure you did). Knowledge belongs to the world. If it wasn't for a lot of open source apps (you wouldn't have competition and the toolkits you do use). For jobs yeah sure it's fine but I still degress but you need to make money for a living. But for single developers I doubt it's ever worth it unless it's something that blows someone's mind.

The benefits of doing open source is that it's more widely accepted and you get bug fixes/patches/features from other ones even get translations (good luck with that on your own). That's why apps on Windows fail, because a ton of apps aren't localised. I been working on my open source app and it already is translated in 30 languages and have a decent user base.

Majesticmerc said,
It's a double edged sword. It can be argued that IE has the advantage of security through obscurity, whereas anyone looking to aim an attack at a webkit browser (or Firefox, which is also FOSS) can just scan the source code for weaknesses.

True, however, in this case, if Glazunov would have discovered something like this in IE and not reported it to Microsoft but rather to underground circles, now there's a major problem. All it takes is one single black hat. While Google will on the other hand have more researchers peering through the code and identifying the exploit. This has actually happened in the latest stable release, where one and the same bug was independently found by two different researchers, which is telling of how well the system works.

ZekeComa said,

Well IE9 doesn't work on Mac OS X or Linux or my cell phone so what's the point?

"So what is the point" Ummm you chose the wrong OS? Jump on over to 95% of the rest of computer users?

ZekeComa said,

Well IE9 doesn't work on Mac OS X or Linux or my cell phone so what's the point?

Who said it had to work on every platform?

iTunes doesn't _work_ on Windows but people happily use it on MACs ;-)

rrode74 said,

"So what is the point" Ummm you chose the wrong OS? Jump on over to 95% of the rest of computer users?

Why would I jump to Windows when all my work/job requires me to do other desktops/cell phones than Windows? Plus C++ development in Windows sucks.

ZekeComa said,

Why would I jump to Windows when all my work/job requires me to do other desktops/cell phones than Windows? Plus C++ development in Windows sucks.

"Plus C++ development in Windows sucks" LOL! If anything Microsoft is known for its exellent development tools, have you ever tried Visual Studio?

rrode74 said,

"Plus C++ development in Windows sucks" LOL! If anything Microsoft is known for its exellent development tools, have you ever tried Visual Studio?

C++ in windows does suck, you need a decent-sized team of people to get ANYTHING done in C++. Visual Studio is a very good tool like you said, but that doesn't make C++ easier to program in.

De.Bug said,
C++ in windows does suck, you need a decent-sized team of people to get ANYTHING done in C++. Visual Studio is a very good tool like you said, but that doesn't make C++ easier to program in.

So is it C++ or the tool?

rrode74 said,

"Plus C++ development in Windows sucks" LOL! If anything Microsoft is known for its exellent development tools, have you ever tried Visual Studio?

That IDE doesn't give me what I need and again it's only for Windows. I use CMake, git, cachegrind, valgrind, sql browsing, profiling, (code completion that actually works and doesn't depend on sql server 2008/10). Qt designer, Qt documentation, KDE development, python, Qt unit tests. Visual Studio lacks all of that pretty much and the IDE that I do doesn't run on Windows, at least not yet.

rrode74 said,

So is it C++ or the tool?

C++, it's an old and very hard to learn/use programming language. It is the second lowest level of programming in windows, meaning that it is pretty close to actual writing in "computer language." The only programming language below it is Assembly where you just move, read, and create data in memory addresses. I personally use VB.Net and C# because of their ease of use. I can create simple programs with them in about a minute.

De.Bug said,
C++, it's an old and very hard to learn/use programming language. It is the second lowest level of programming in windows, meaning that it is pretty close to actual writing in "computer language." The only programming language below it is Assembly where you just move, read, and create data in memory addresses. I personally use VB.Net and C# because of their ease of use. I can create simple programs with them in about a minute.

I can do the same thing in Qt and not worry about memory deletion and have full RAD and Unicode support and not be in crappy Hungarian notation.

C# isn't bad, it's quite good but it has no decent cross OS gui toolkit.

ZekeComa said,

I can do the same thing in Qt and not worry about memory deletion and have full RAD and Unicode support and not be in crappy Hungarian notation.

C# isn't bad, it's quite good but it has no decent cross OS gui toolkit.

You don't have to worry about memory deletion in VB.Net or C#, but unicode and RAD support would be nice.

De.Bug said,
You don't have to worry about memory deletion in VB.Net or C#, but unicode and RAD support would be nice.

Plus all my work is done in C++ and jobs I do require C++. I'm content with working in C++. I just can't stand STL xP.

I'll have to come in and add that YES C/C++ development SUCKS in Windows. The tools are just better in Linux or OSX

Rudy said,
I'll have to come in and add that YES C/C++ development SUCKS in Windows. The tools are just better in Linux or OSX

+1

Visual Studio is good but it's too bloated for what it's worth and it's not worth the expensive price tag it offers and still fails in code completion department due to it's bloated requirement of SqlServer and other reasons.

The reason I prefer using Linux/Mac because all it's includes are in a single area and not spread in to **** unknown places. Plus there are ones you simply can't get on Windows.

rrode74 said,

"So what is the point" Ummm you chose the wrong OS? Jump on over to 95% of the rest of computer users?


well IE9 cannot be installed on XP so take down 55% of that share.

still1 said,

well IE9 cannot be installed on XP so take down 55% of that share.

Well they should learn to stop using old outdated crap. windows 7 is perfect enough. But then again they are too busy complaining about something.