Google officially released the Chrome 38 browser on Oct. 9, providing users with few new features. The main focus of Chrome 38 is stability and security fixes—lots of security fixes.
In total, Google is patching 159 security vulnerabilities in Chrome 38, which is one of the highest numbers of security-related fixes for any single browser ever released. Going a step further, Google noted that it also made “113 relatively minor fixes” that it found with its open-source Memory Sanitizer application. Other browser vendors likely might have also counted the 113 memory fixes in their security totals, so for argument’s sake, let’s say that Chrome 38 fixes 272 security related issues.
That’s a whole lot of issues. To be fair, there is no evidence and no reports that any of those 272 issues have ever been exploited by anyone.
Aedla is also being awarded an additional $4,500 reward for CVE-2014-3195, which is an information leakage issue in V8.
A security researcher identified only as “cloudfuzzer” is another big winner in the Chrome 38 money pile. Google credits cloudfuzzer with reporting CVE-2014-3189, CVE-2014-3190, CVE-2014-3191 and CVE-2014-3192, which are memory-related flaws including use-after-free memory errors. For his efforts, Google is paying cloudfuzzer the tidy sum of $11,000.
Google develops Chrome in a series of release branches that culminate in a final stable release. During the development process, multiple bugs were found, which Google is also recognizing with awards.
“We would also like to thank Atte Kettunen of OUSPG and Collin Payne for working with us during the development cycle to prevent security bugs from ever reaching the stable channel,” Google Chrome developer Matthew Yuan wrote in a blog post. “$23,000 in additional rewards were issued.”
The Chrome 38 release is also noteworthy in that it is the first since Google announced an increase in its bug payout schedule last week. Under the new reward schedule, the top listed payout is $15,000 for a Sandbox escape, complete with a high-quality report and a functional exploit. It’s interesting to note that Aedla was paid nearly double that for CVE-2014-3188.
Overall, Google has paid out over $1.25 million in bug bounties since it first began to reward researchers for reporting flaws in Chrome back in 2010.