Last year’s particularly virulent Stragefright bug allowed attackers to perform a number of actions on an infected device through remote code execution. While Google has addressed those issues with monthly security patches, Android N will play a larger role in making sure a similar issue does not happen again.
Google is increasing the bounty it pays to security researchers who discover and report bugs in Chromium by up to 500 percent after announcing that it has paid out a combined total of $2M in bug bounties across Chromium and Google-owned websites in just three years.
Today, the Chromium program is raising reward levels significantly. In a nutshell, bugs previously rewarded at the $1,000 level will now be considered for reward at up to $5,000. In many cases, this will be a 5x increase in reward level! We’ll issue higher rewards for bugs we believe present a more significant threat to user safety, and when the researcher provides an accurate analysis of exploitability and severity. We will continue to pay previously announced bonuses on top, such as those for providing a patch or finding an issue in a critical piece of open source software.
This follows earlier similar increases for reporting website vulnerabilities back in June.
Although the sums of money offered for reporting vulnerabilities are substantially lower than could be made by selling the info on the black market to those who would use it for nefarious reasons, the thinking behind bug bounties is it encourages those who would never dream of misusing the info to file prompt reports. Many large tech companies offer bug bounties, with Microsoft – a long-time hold-out – joining in a month ago.
After sending out the usual laundry list of bug fixes for its Flash Player yesterday, Adobe is coming under pressure from Google security engineer Tavis Ormandy who claims the update only listed 13 of the approximately “400 unique vulnerabilities”… A number he describes as “embarrassingly high”.
Ormandy claims he sent the bugs to be fixed “as part of an ongoing security audit” and, according to a report from Computerworld, was “upset that he was not credited for his bug reports”. After noticing he hadn’t received credit in the patch, he took to Twitter to address his concerns, prompting Adobe’s senior manager of corporate communications to tweet the following:
“Tavis, please do not confuse sample files with unique vulnerabilities. What is Google’s agenda here?”
Ormandy responded, also in a tweet, saying:
“I don’t know what Google’s agenda is, but my agenda is getting credit for my work and getting vulnerabilities documented.”
Hours before the patch officially rolled out, Google launched the latest version of Chrome 13 and 14, which included the Flash Player patch in question, and was accompanied by the following statement from Google:
“The Chrome Team would especially like to thank Tavis Ormandy, the Google Security Team, and Google for donating a large amount of time and compute power to identify a significant number of vulnerabilities resolved in this release of Flash Player.”
Adobe did credit 10 other researchers in the report accompanying the update, but had only this to say about Google and Ormandy’s work: