"Google Pays Out Over $50,000 for Vulnerabilities Patched by Chrome 107"
Google recently announced the release of Chrome 107 to the stable channel, with patches for 14 vulnerabilities, including high-severity bugs reported by external researchers. A total of ten security bugs were reported externally: three high-severity issues, six medium-severity issues, and one low-severity issue. Google noted that to exploit these flaws, a remote attacker needs to trick a user into accessing a specially crafted webpage in a vulnerable browser. Successful exploitation could allow the attacker to execute arbitrary code or cause a denial-of-service (DoS) condition on the affected system. Based on the paid bug bounty rewards, the most severe of these externally reported security defects is CVE-2022-3652, which is described as a type confusion in the V8 open source JavaScript and WebAssembly engine. Google says it has paid $20,000 to the reporting researcher. Next in line is CVE-2022-3653, a heap-buffer overflow vulnerability in the Vulkan hardware acceleration engine. Google noted that it has handed out a $17,000 reward to the researcher who identified it. The third high-severity vulnerability resolved with this browser release is CVE-2022-3654, a use-after-free issue in Layout. Google says it has yet to determine the amount to be paid for it. For the six externally reported medium-security vulnerabilities, Google awarded a total of $17,000. These include a heap buffer overflow in Media Galleries, insufficient data validation in File System, an inappropriate implementation in full screen mode, use-after-free bugs in Extensions, Feedback service on Chrome OS, and Accessibility. An additional $3,000 was paid for the low-severity issue, for a total of $54,000, but the total amount might be much higher once Google announces the reward for the third high-severity vulnerability. Google noted that the latest Chrome iteration is now rolling out to Mac, Linux, and Windows users as versions 107.0.5304.62, 107.0.5304.68, and 107.0.5304.62/63, respectively.
SecurityWeek reports: "Google Pays Out Over $50,000 for Vulnerabilities Patched by Chrome 107"