IE 11 is not supported. For an optimal experience visit our site on another browser.

Google's 'Bug Bounty' Program Behind Latest Chrome Fixes

/ Source: SecurityNewsDaily

The latest version of Google's popular Web browser Chrome, which hit users this Tuesday (Sept. 25), comes with 24 security fixes that cost the company $29,500.

The cash was paid out to researchers who make it their mission to find vulnerabilities and report them to Google before criminals can figure out a way to exploit them.

One of the most notable findings was a rare "critical" universal cross-site scripting threat reported by Sergey Glazunov, netting him $15,000.

This is not the first time Glazunov has increased his bottom line by hacking Chrome. When he was one of only two who could crack the browser at March's Pwnium contest, Google gave him $60,000. According to Computerworld, Glazunov has been awarded $80,000 for his security research work.

Chrome 22, which began to roll out on Tuesday (Sept. 25), doesn't look different than its immediate predecessor, but on the Chromium blog, Vincent Scheib said new support for Mouse Lock, a JavaScript API, will improve in-browser first-person gameplay. The latest version has also been enhanced and optimized with Windows 8 in mind.

Google Chrome updates itself automatically on all desktop platforms.

So far, Google has paid researchers $290,000 this year to find and report security flaws in the company's products, a practice it began in 2010. Recently, the company upped the ante from a base reward of $500 to $1,000, to mitigate a decline in the number of reports it was receiving; but as Glazunov demonstrates, researchers can earn a lot more.

Google isn't the only company paying freelancers to find its bugs. Facebook began paying out bounties last year (2011) and PayPal announced a money-for-bugs program in June. Other companies with "bug bounties" include Mozilla, Adobe and Microsoft.

When legitimate companies inserted themselves into a marketplace dominated by criminals and thieves, they gave hackers a new, legitimate way to profit from their skills. Instead of selling vulnerabilities to steal and make mischief, they could be turned over to the companies that created them in the first place to reduce crime and stop a flaw from being exploited before hackers can even start.

The disclosure of security vulnerabilities in technology and software is protected as free speech in the United States, but the exploit market is open and unregulated. While big players like Google and PayPal have deep pockets to buy their own flaws, customers remain at risk if they get outbid by a third party with an evil plan.

Follow Ben on Twitter.