Google’s program to pay outsiders who find Chrome security vulnerabilities is working well enough that the company has concluded it’s time to add new financial rewards.
“Recently, we’ve seen a significant drop-off in externally reported Chromium security issues,” Chrome programmer Chris Evans said in a blog post yesterday. “This signals to us that bugs are becoming harder to find, as the efforts of the wider community have made Chromium significantly stronger.”
Thus, Google added a new $1,000 bonus on top of the regular incentive in three circumstances. The bonus applies if a vulnerability is “particularly exploitable” and comes with a demonstration; if it’s in an open-source software library used beyond just Chrome; or if the vulnerability is in a stable area of Chrome that Google thought had been already picked clean of bugs.
Google so far has paid more than $1 million for finding Chrome security holes, most notably one $60,000 payment to Sergey Glazunov and another to “PinkiePie.”
Also yesterday, Google released Chrome 21.0.1180.79 for Mac, Linux, Windows and Chrome Frame to fix a vulnerability in Adobe Systems’ Flash Player, which is built directly into Chrome.
The vulnerability apparently wasn’t a mere idea, but rather an actual attack mechanism, according to Adobe.
“There are reports that the vulnerability is being exploited in the wild in limited targeted attacks, distributed through a malicious [Microsoft] Word document. The exploit targets the ActiveX version of Flash Player for Internet Explorer on Windows,” Adobe said.