Researcher rewarded over $30,000 for nailing three Chrome OS security flaws

Google has patched four flaws – three of them high-risk – in its Chrome operating system and has paid out $31,336 to the researcher who spotted three of them.

The flaws are all found in the O3D plug-in: a Google-crafted plugin used to create interactive 3D graphics applications that run in browser windows or in an XML User Interface (XUL) desktop application.

Updates for Chrome 26 will be pushed out over the next few days, according to a blog post written by Google’s Ben Henry.

The fixed flaws:

• [227197] Medium CVE-2013-2832: Uninitialized memory left in buffer in O3D plug-in. Credit to Ralf-Philipp Weinmann.
• [227181] High CVE-2013-2833: Use-after-free in O3D plug-in. Credit to Ralf-Philipp Weinmann.
• [227158] High CVE-2013-2834: Origin lock bypass of O3D and Google Talk plug-ins. Credit to Ralf-Philipp Weinmann.
• [196456] High CVE-2013-2835: Origin lock bypass of O3D and Google Talk plug-ins. Credit to Google Chrome Security Team (Chris Evans).

Google’s base reward for eligible bugs in its Chrome Vulnerability Rewards Program is $500.

Google typically pays out at least $1,000, the company says, but if the reward panel deems a bug particularly nasty, the value can be as much as the interestingly specific figure of $3,133.70.

If a given vulnerability really knocks the panel’s socks off, the bounty can hit $10,000 or even beyond, so one assumes that researcher Ralf-Philipp Weinmann zeroed in on some very gnarly security issues and then followed up by documenting them quite nicely.

That’s exactly what Google’s Henry says, at any rate:

"We're pleased to reward Ralf-Philipp Weinmann $31,336 under the Chromium Vulnerability Rewards Program for a chain of three bugs, including demo exploit code and very detailed write-up. We are grateful to Ralf for his work to help keep our users safe."

Congratulations, Mr. Weinmann, for the reward, and thanks for your work from computer users everywhere.