From the ‘$21,500 Bug Bounty’ files:
Google has release its latest open source Chrome web browser release. 28.0.1500.71.
This is mostly a bug and security fix update – with some very notable bug fixes. While Google has been paying security researchers for flaws for some time, with Chrome 28 Google is really upping the ante with the largest payout in the history of the Google’s security bug bounty program for a normal Chrome release.
Researcher Andrey Labunets is being awarded a special reward of $21,500 for a pair of flaws identified as CVE-2013-2879 and CVE-2013-2868.
Another big winner this month is researcher Collin Payne who scored $6,267.40 from Google for CVE-2013-2879: Use-after-free with network sockets.
Google is also paying out a tidy sum of $3,133.7 for CVE-2013-2853: Man-in-the-middle attack against HTTP in SSL, which was reported by Antoine Delignat-Lavaud and Karthikeyan Bhargavan from Prosecco at INRIA Paris.
The other big ticket bug bounty fix in the Chrome 28 is a $2,000 reward to security research Miaubiz. He is credited with reporting CVE-2013-2871: Use-after-free in input handling. Miabiz is no stranger to Google’s bug bounty program. In fact he is the first researcher that ever got more then $3,337 for a bug from Google.
Back in March of 2012 for the Chrome 17 releases. Miaubiz was awarded a special reward of $10,000 for his contributions to Chrome security.
Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist.