Researcher rewarded over $30,000 for nailing three Chrome OS security flaws

Filed Under: Featured, Google, Google Chrome, Vulnerability

ChromebookGoogle has patched four flaws - three of them high-risk - in its Chrome operating system and has paid out $31,336 to the researcher who spotted three of them.

The flaws are all found in the O3D plug-in: a Google-crafted plugin used to create interactive 3D graphics applications that run in browser windows or in an XML User Interface (XUL) desktop application.

Updates for Chrome 26 will be pushed out over the next few days, according to a blog post written by Google's Ben Henry.

The fixed flaws:

  • [227197] Medium CVE-2013-2832: Uninitialized memory left in buffer in O3D plug-in. Credit to Ralf-Philipp Weinmann.
  • [227181] High CVE-2013-2833: Use-after-free in O3D plug-in. Credit to Ralf-Philipp Weinmann.
  • [227158] High CVE-2013-2834: Origin lock bypass of O3D and Google Talk plug-ins. Credit to Ralf-Philipp Weinmann.
  • [196456] High CVE-2013-2835: Origin lock bypass of O3D and Google Talk plug-ins. Credit to Google Chrome Security Team (Chris Evans).

Google's base reward for eligible bugs in its Chrome Vulnerability Rewards Program is $500.

Google typically pays out at least $1,000, the company says, but if the reward panel deems a bug particularly nasty, the value can be as much as the interestingly specific figure of $3,133.70.

If a given vulnerability really knocks the panel's socks off, the bounty can hit $10,000 or even beyond, so one assumes that researcher Ralf-Philipp Weinmann zeroed in on some very gnarly security issues and then followed up by documenting them quite nicely.

That's exactly what Google's Henry says, at any rate:

"We're pleased to reward Ralf-Philipp Weinmann $31,336 under the Chromium Vulnerability Rewards Program for a chain of three bugs, including demo exploit code and very detailed write-up. We are grateful to Ralf for his work to help keep our users safe."

Congratulations, Mr. Weinmann, for the reward, and thanks for your work from computer users everywhere.


, , , ,

You might like

3 Responses to Researcher rewarded over $30,000 for nailing three Chrome OS security flaws

  1. Winterfruit · 494 days ago

    Interestingly specific?
    3133.7 = ELEET = ELITE

  2. ACS · 493 days ago

    What a cool story. I think it's a really good idea to reward the people who find these critical errors.

  3. Anon · 493 days ago

    I think it is a better idea to have programmers who don't create them in the first place

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.