SOFTWARE DEVELOPER Google has paid out $60,000 to a security researcher for demonstrating a 'full Chrome exploit' in its Chrome web browser.
Sergey Glazunov, who has built up a reputation for demonstrating weaknesses in Chromium, is the first researcher to be awarded the $60,000 top prize. Glazunov showed off a remote code execution vulnerability in Chrome on an up-to-date Windows 7 system, which qualifies as a full Chrome exploit.
Last week Google announced that it would up the stakes in its Chrome cash-for-vulnerabilities programme, which had managed to withstand attacks in previous Pwn2own contests, offering a prize pool of $1m in its Pwnium contest for researchers to demonstrate exploits its Chrome web browser. The $60,000 top prize bracket is reserved for a full Chrome exploit, one that allows local user persistence on Microsoft Windows 7 using only bugs in Chrome.
Sundar Pichai SVP of Chrome and Apps at Google congratulated Glazunov and said, "We're working fast on a fix that we'll push via auto-update. This is exciting; we launched Pwnium this year to encourage the security community to submit exploits for us to help make the web safer. We look forward to any additional submissions to make Chrome even stronger for our users."
For Google, offering $1m to security researchers is a lot cheaper than having its own staff look for needles in a very large haystack, plus it avoids irresponsible disclosures of Chrome vulnerabilities that could dent its public image.
Although Glazunov is expected to be receiving a cheque for $60,000 there is still $940,000 up for grabs in Google's Pwnium competition.
Following Glazunov's vulnerability exploit, Google has updated its Chrome stable channel browser, hardening it against the attack. The firm said version 17.0.963.78 for Windows, Mac OS X and Linux also fixes issues with Adobe Flash games and videos. µ
It's time for our regular two-step through the Google news
Bug bounty offer: accepted