back to article Google splashes $80k on Chrome 40 bug splatting

Google has patched 62 security vulnerabilities in Chrome 40 and handed out US$88,500 to bug hunters who spotted the problems. Of those fixes, 17 swatted dangerous memory corruption and use-after-free vulnerabilities in Chrome elements including FFmpeg, ICU and DOM. The Chocolate Factory's digital guardians pushed the flagship …

  1. Anonymous Coward
    Anonymous Coward

    Disclosure

    I wonder if someone who notified them of a bug a couple months ago that didn't make this release will make it public like they've been doing to Microsoft?

    1. Anonymous Coward
      Anonymous Coward

      Re: Disclosure

      Why would they need to threaten and motivate themselves to patch?

      If they didn't care about it, then they wouldn't have bounties in the first place.

      1. LDS Silver badge

        Re: Disclosure

        They pay money so the researcher stay silent until the check is paid...

    2. Anonymous Coward
      Anonymous Coward

      Re: Disclosure

      Chrome - the browser with more security holes than IE!

      With The Borg monitoring all that you do...

    3. Charlie Clark Silver badge

      Re: Disclosure

      Google quickly discovered that it was excellent PR to run bounty schemes, and much cheaper and more effective than trying to prevent disclosure.

  2. Anonymous Coward
    Anonymous Coward

    Can some one clarify

    FFmpeg...

    Is this the same one in VLC?

  3. LDS Silver badge

    Google doesn't respect its own 90 days deadline!

    CVE-2014-7923 was created on October 6th, 2014 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7923) - and that is only the date when the CVE identifier was created - not when the vulnerabilty was discovered, which of course happened *before*.

    (It looks the other CVE entries too were created on 20141006 - thereby it looks Google too needs time to fix things and release them... how many other later vulns are there and waiting to be patched well after 90 days?)

    "Strangely" they waited a "few days" for the release of a patch.... but of course wait for googledrones flying in to say this is different....

    1. Fuzz

      Re: Google doesn't respect its own 90 days deadline!

      Maybe Microsoft should start paying bounties for bugs in Google software

      1. LDS Silver badge

        Re: Google doesn't respect its own 90 days deadline!

        Ah, that's the reason Google is publishing them, they asked for money and MS didn't comply?

      2. Anonymous Coward
        Anonymous Coward

        Re: Google doesn't respect its own 90 days deadline!

        "Maybe Microsoft should start paying bounties for bugs in Google software"

        I don't think Microsoft would have enough money! Google's software has a terrible security vulnerability record...

    2. Anonymous Coward
      Anonymous Coward

      Re: Google doesn't respect its own 90 days deadline!

      What are you talking about? Do you even know?

      1. LDS Silver badge

        Re: Google doesn't respect its own 90 days deadline!

        Can you read a CVE entry? Follow the link....

    3. Charlie Clark Silver badge
      Thumb Down

      Re: Google doesn't respect its own 90 days deadline!

      The press release doesn't make it clear when the CVE was made public. As the bugfix has just gone into the stable version of the browser, it will have been fixed in beta and canary channels earlier and presumably available as a hotfix if required.

      Not that Google might not get caught out by its 90 day rule at some point but at the moment it has the PR on its side.

      From the security page:

      One of the quickest ways to get involved is finding and reporting security bugs. It will get prompt attention from a security sheriff, be kept private until we coordinate disclosure, and possibly qualify for a cash reward through our Vulnerability Rewards Program. We occasionally run security contests outside of our regular reward program (e.g. Pwnium2, Pwnium3) too.

      Oh, and the code is all open source so that miscreants have a head start finding bugs. Except, of course, that automated scans are better than code review for detecting exploits.

      1. LDS Silver badge

        Re: Google doesn't respect its own 90 days deadline!

        Of course the press release doesn't tell it - but it doesn't take much effort to go to CVE site and discover it ... The CVE entry was created at the beginning of October. Unlike Google, they don't publish detail whenever they like - they take security seriously, unlike Google which is now using it as a weapon against MS even if it put users at more risks.

        But the very fact that the CVE entry was reserved, assigned and thereby "timestamped", mean that the vulnerability was discovered and sent to Google well before the 90 days Google decided *others* should fix their issues within.

        Also, it can be very dangerous to fix vulnerabilities in beta and hotfix - because as soon as that code is released, a simple diff tells you where to look at, even if details are not made public. Vulnerabilities are not alike other bugs - disclosure *must* be very careful or you just get explotable zero days ones. A sound practice is to fix vulnerabilities first in production release and then backport them to any public beta or whatever - the other way round could be much more dangerous.

        And, read: "be kept private until we coordinate disclosure" - so they keep them private until they are ready for a disclosure - no matter how long it takes, no deadline here - so what they ask others to comply with is not valid for them. What is funny is people like you thing it's OK.... but Google has washbrained a lot of people who are scared as hell if they have to pay for the software they use...

        1. Charlie Clark Silver badge

          Re: Google doesn't respect its own 90 days deadline!

          I didn't find the release date of the CVE anywhere. Contrary to your insinuation I don't think Google is wonderful. There's a lot to criticise about the company. But they're handsomely winning the PR war about security. And I think they understand better than most, that you can only keep the most severe exploits under wraps and even then only a for a very short time (OpenBSD is the model here).

          I haven't done a look at the commits but I can't imagine they put something in stable without first having it in the beta version. A hotfix for all versions would be the exception here. I suppose that checking this would prove which of us is right about this.

  4. Haro

    Yeah for Google

    This is a great program, paying for bugs. It keeps people interested, and playing by the rules, whatever they are. The MS bounty program is ransom-ware. :)

  5. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022