Forgot your password?
typodupeerror
Google Bug Security The Almighty Buck Technology

Google Pushes New Chrome Release, Pays $14k Bounty 182

Posted by timothy
from the return-on-investment dept.
Trailrunner7 writes "Google has released version 8.0.552.237 of its Chrome browser, which includes fixes for 16 security vulnerabilities. The company also paid out more than $14,000 in bug bounties for the flaws fixed in this release, including the first maximum reward of $3133.7. The new version of Google Chrome has fixes for 13 high-priority bugs, but the most serious vulnerability the company repaired in the browser is a critical flaw resulting from a stale pointer in the speech handling component of Chrome. That flaw, along with four others, was discovered by researcher Sergey Glazunov, who earned a total of more than $7,000 in rewards for the bugs he reported to Google."
This discussion has been archived. No new comments can be posted.

Google Pushes New Chrome Release, Pays $14k Bounty

Comments Filter:
  • by Fluffeh (1273756) on Friday January 14, 2011 @12:04AM (#34873534)
    1) Convince Microsoft to adopt similar bug strategy.
    2) Start using software as it was designed to be used...
    3) PROFIT!!

    Yes, that's right. No step 4.

    *sips coffee*
    • by c0lo (1497653)

      1) Convince Microsoft to adopt similar bug strategy.
      2) Start using software as it was designed to be used...
      3) PROFIT!!
      Yes, that's right. No step 4.

      Step 2 is somehow flawed. Google paid the bounty for the security bugs and for Chrome only.

      MS:
      1. has a bigger "impact cross-section" thus won;t afford to pay too much for a bug leading to a 0-day exploit;
      2. there is a stiff competition in the matter of monetary rewards for finding 0-days exploits (hint: some entities in a country used to be known as Soviet...). If somebody jumps into the game as a beginner and stay in the game long enough to be proficient in finding bugs, my bet... because of point 1 abov

      • by LingNoi (1066278)

        1. You can define the terms for payment and they have more money then google to blow.
        2. The competition fixes windows bugs? eh... Also, someone does work for you for money, gets better at their skill and may move jobs?! We can't let this happen! They must remain Microsoft's worker slaves forever!

    • side note - Originally there is no no need for phase 4 [southparkstudios.com]

      *sips espresso*

    • You're conjuring up images of the boss guy in Office Space shagging the protagonist's girlfriend whilst sipping his coffee.
    • How come my version of Chrome is 9.0.597.47? Am I in the future, or did this article sit in the stack for several weeks?
  • I don't care how much it's for, because if I ever get a check from Google, it's getting framed. Just sayin.
    • by TafBang (1971954)
      I like your style. Perhaps as a Facebook display picture in hopes of getting some "likes" from potential femina mates
      • by mysidia (191772)

        I like your style. Perhaps as a Facebook display picture in hopes of getting some "likes" from potential femina mates

        I am afraid Google would run into the same problems Knuth and others did. When people post images of checks online, various scammers, the scum of the internet, find images of the checks online, make fake checks, or initiate fraudulent ACH transactions.... result: the account has to be closed.

        Remember folks... checks are legal instruments and contain confidential bank account num

        • by h4rr4r (612664)

          or just redact the numbers from the image.

        • by c0lo (1497653)

          Remember folks... checks are legal instruments and contain confidential bank account numbers printed on them, which (due to our insecure banking system) can easily be abused by scammers to steal lots of money. Never post an image for public consumption of a check someone else wrote to you.

          Or, at least, not if you care maintaining a good relation with that someone.
          I know, I know, not very moral of me.

    • *Sigh*, some people would rather have a check from Don Knuth...
    • It's just a company, dude.

    • by Joe Tie. (567096)

      I used to get android sales pretty consistently, and that was one of the best parts. There's just something kind of cool in checking your balance and seeing daily deposits from google.

    • Uh.....if you want it that bad, you can just get a job there, you know? I hear they even hire janitors.
  • by NFN_NLN (633283) on Friday January 14, 2011 @12:15AM (#34873624)

    14K sounds like a pretty good deal for Google. That's less than 2 months of salary for even an intermediate tester.

    • Less than 2 months intermediate? I'd be surprised if beginning testers cost Google less than $84k/year when you include bonus, stock, benefits, office space, etc..

      Then again, I'd also expect an intermediate tester to get more done than just 13 random bugs being found (1 every 3 work days). But maybe the quality of these 13 bugs is higher than you'd expect out of two months with a tester.

      Then again...again, I expect even without a bounty some of these bugs would have been reported. I wonder to what extent

      • by tyrione (134248)

        Less than 2 months intermediate? I'd be surprised if beginning testers cost Google less than $84k/year when you include bonus, stock, benefits, office space, etc..

        Then again, I'd also expect an intermediate tester to get more done than just 13 random bugs being found (1 every 3 work days). But maybe the quality of these 13 bugs is higher than you'd expect out of two months with a tester.

        Then again...again, I expect even without a bounty some of these bugs would have been reported. I wonder to what extent people's behaviour is actually changed by this.

        If you think an entry tester is getting stock options, at their price, you're nuts. They also aren't getting $84k.

        • by omglolbah (731566)

          He didnt say they did, he said it could cost -google- that much.

          Office space, benefits and the likes cost quite a lot. Salary is not the only thing an employee costs ;)

        • He said office space. That includes the portion of the mortgage of that cube. At California rates, that adds up quick. Plus their welcome package includes a Google edition of the dvd for Office Space signed by Ron Livingston.

  • "Hello google, i found a bug." "Did you fix it?" "Yeah here is 100 man hours of work and 1,000 lines of code" "k, cool, heres $10"
  • by 93 Escort Wagon (326346) on Friday January 14, 2011 @12:24AM (#34873694)

    I've heard that h.264 support is broken in an upcoming release.

    • Re: (Score:3, Insightful)

      by _Sprocket_ (42527)

      I've heard that h.264 support is broken in an upcoming release.

      That's a feature.

      • by martas (1439879)
        That's a whoosh.
    • by c0lo (1497653)

      I've heard that h.264 support is broken in an upcoming release.

      My bet on Google's answer: "that's not a bug, that's a feature". Would you believe it?

    • If you log a regression bug I will verify it!

  • To find out who is capable of finding the obvious ploys...
  • by Wrath0fb0b (302444) on Friday January 14, 2011 @12:40AM (#34873782)

    Is that updates take place silently and promptly without any user intervention even on systems with UAC activated (a copy is installed to %appdata%). Why can't other applications just keep themselves up to date automatically in that way? It's obviously not technologically impossible, we've seen it happen. Even Windows Update is vaguely alright in this respect once you disable the restart-nagging. Debian systems do fine after a simple 'apt-get update && apt-get upgrade -y' in the root crontab although the GUI will occasionally pester you.

    Firefox has to be the worst offender in this respect, both in terms of actual software upgrades that block the UI and then add-ons that also block the main UI and then spawn a silly splash to inform you of the amazing upgrade rfom 2.1.6 to 2.1.6(b). Unless it requires a change in the terms of the license or more permissions (Android does this nicely), I don't care and I definitely don't need to be interrupted to see it.

    Another free tip for the Mozilla team -- when I open an application is not the time to install any updates. In fact, that is the only time you can be nearly guaranteed that I want to use the application right this second. Schedule updates for when I close the app because it's pretty damn likely I don't need to use it for a few minutes.

    Apple could learn the same thing about their infernal updates too, plus an extra special place in hell for pimping their other software at the same time. I still get calls from my parents "Do I need Safari?", hmm, no just upgrade iTunes when it asks you to. "What about quicktime?". Gah.

     

    • by BZ (40346) on Friday January 14, 2011 @12:55AM (#34873886)

      > Schedule updates for when I close the app because it's pretty damn likely I don't need to
      > use it for a few minutes.

      It's not that simple. When you close the app in the case of a web browser, you're most likely shutting your machine down; you don't want to do the update then.

      The only sane way to do it is what Google does: actually replace the binaries in-place as the program runs... We're working on getting there. :)

      • by h4rr4r (612664)

        Replacing files in place is easy, if you use a sane OS.

        • by BZ (40346)

          Well, the hard part is to make sure things keep working after you did the replace. In particular, the ideal is that if an update comes out the browser updates itself and the next tab you open gets the updated renderer process (while the existing tabs still have the old renderer process). If you have to update the UI process, then you obviously have to do something slightly different.

      • Can you do that on Windows?

        • by BZ (40346)

          Yes, if you're careful enough. You can't write over the existing file, but you can create a new file, start using it, then make a copy once the old file is unused.

      • by wumpus188 (657540)

        Sorry, but this is just a lame excuse. OSX allows app to listen for shutdown notifications - just don't do an update if your app is terminating because of system shutdown. I'm sure Windows and KDE/Gnome have similar mechanisms.

        • Sure, but if you take more than a couple of seconds, Windows will assume the program isn't cooperating and offer to kill it. Which could be nasty when it happens during an update.

        • by BZ (40346)

          Right, but then you'll never update for many users (who _only_ shut down their browser when shutting down the OS), which negates the whole point.

    • Some might consider that silent automatic update an issue, especially if the silently updated new version breaks somehow. Corporate IT departments particularly are none too keen on things that go about updating themselves.

      As for your Firefox issue, go to Tools > Options > Advanced > Update and untick automatically update for Add-ons (and probably search engines). There, job done. Yes it isn't the best user interaction decision to update at startup and block the main UI from loading, but it doesn't

      • As for your Firefox issue, go to Tools > Options > Advanced > Update and untick automatically update for Add-ons (and probably search engines). There, job done. Yes it isn't the best user interaction decision to update at startup and block the main UI from loading, but it doesn't mean you have to live with it when it clearly ticks you off so much.

        So now I have to manually check for updates? And this is your idea of fixing things?

    • by mysidia (191772) on Friday January 14, 2011 @01:03AM (#34873926)

      Is that updates take place silently and promptly without any user intervention even on systems with UAC activated (a copy is installed to %appdata%).

      Hm.. that idea wouldn't work on any systems I setup.

      Software restriction policy all systems, Policy default: deny.

      Programs can be executed from the default allowed directories. %programfiles% , %systemroot%\system32, etc, and some designated paths for placing executables in manually, in order to install them.

      User profile directories including appdata are specifically excluded, because this is best common practice. Programs/executables don't belong in any user's profile or appdata folder (Especially not in any folder used as a default download directory for saving files or temporary directory used by a mail application for opening attachments in a viewer). Contents of appdata is a data folder, and all of a user's profile are data folders, not program folders.

      • Programs can be executed from the default allowed directories. %programfiles% , %systemroot%\system32, etc, and some designated paths for placing executables in manually, in order to install them.

        When Chrome closes it copies over the %ProgramFiles% version if the user have sufficient privileges to do so. That's the best place for it, but given that NTFS does not allow unlinking an exectuable when it is running, having it in %AppData% for the time being is the next best option.

        User profile directories including appdata are specifically excluded, because this is best common practice. Programs/executables don't belong in any user's profile or appdata folder (Especially not in any folder used as a default download directory for saving files or temporary directory used by a mail application for opening attachments in a viewer). Contents of appdata is a data folder, and all of a user's profile are data folders, not program folders.

        Wait, so if I instruct chrome to download an application, it shouldn't go in $USER/Downloads because executables aren't suppose to be in data folders? To where should setup.exe be downloaded then? In fact, how the heck is any

        • by tepples (727027)

          In fact, how the heck is any updater supposed to work in this case?

          By being run as administrator.

      • User profile directories including appdata are specifically excluded, because this is best common practice. Programs/executables don't belong in any user's profile or appdata folder

        I disagree, though not for Windows. On Linux, it's pretty common practice to install software locally to a user. For example I have a newer version of Python installed on my webserver than the stock, and it's just in my home directory.

        Though I understand that your needs are likely different, I'm just pointing it out.

      • by tepples (727027)

        Programs can be executed from the default allowed directories. %programfiles% , %systemroot%\system32, etc, and some designated paths for placing executables in manually

        Then what is the procedure for a user to request that a program's installer be placed into one of these "designated paths for placing executables in manually"?

    • Is that updates take place silently and promptly without any user intervention even on systems with UAC activated (a copy is installed to %appdata%).

      No wonder corporate shops don't allow Chrome.

      • by frdmfghtr (603968)

        I was thinking the same thing for my home machine. I consider silent background updates "bad." Only one person should be authorizing software updates--me, and I want to know about it beforehand.

      • Yup, although Chrome seems particularly adept at getting round any corporate restrictions. At the [government institution] where I work, Chrome seems to be on about half the machines, usually installed by users. I'm always grateful to see it as lots of machines seems to still have IE 6 which is getting close to unusable on many web pages.
      • by willie150 (95414)
        Google released Chrome for Business [google.com] in the last few months, add that to the policy settings [google.com] and you're pretty set.
    • If I'm closing the browser, that probably means my battery is dying. My UPS is doing the extra-fast beeping that happens right before it cuts out.

      That would be the absolute worst time to update. The power will cut out right in the middle of the update. Few software projects can reliably avoid self-corruption when that happens.

    • by master811 (874700)

      No the the installation of Chrome in the %user% folder is an an absolute pain. I'm sure the only reason google did this is to make it easy to install, but that doesn't make it the best place. Programs go in program files/system directories, NOT in userdata. I also hate the fact it doesn't just "update", it creates an entirely new directory everytime for that particular version, so you end up with loads of redundant folders.

      No other major app does this, why can google get away with it?

      • by n0-0p (325773)

        If you don't like the single user version then install the system-wide version from the google pack. And it doesn't leave past versions around; it leaves exactly one previous version when it's updating because it uses differential compression against the old version and falls back to the previous version if the update failed.

    • by Alrescha (50745)

      "One of the best things about Chrome is that updates take place silently and promptly without any user intervention"

      You like having a rogue process running as root on your machine? I consider it the worst thing about Chrome. The first thing I dig out and kill after I install Chrome is Google Software Update.

      http://www.wired.com/epicenter/2009/02/why-googles-sof/ [wired.com]

      A.

    • In Firefox 4, add-on updates now install silently instead of prompting on startup.
  • Certainly having a trouble free product is worth more than 10% of developer salary to google?

...when fits of creativity run strong, more than one programmer or writer has been known to abandon the desktop for the more spacious floor. - Fred Brooks, Jr.

Working...