Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Releases Chrome 6, Pays $4337 In Bounties

Posted by timothy on from the working-in-the-background dept.

Trailrunner7 writes "Google has released a new version of its Chrome browser and has included more than a dozen security fixes in the update. The new version, 6.0.472.53, was released two years to the day after the company pushed out the first version of Chrome. Google Chrome 6 includes patches for 14 total security vulnerabilities, including six high-priority flaws, and the company paid out a total of $4,337 in bug bounties to researchers who reported the vulnerabilities. A number of the flaws that didn't qualify for bug bounties were discovered by members of Google's internal security team." (Read on for more, below.) Also on the Chrome front, morsch writes "Chrome 7 for Linux is planned to tie in with the Gnome Keyring and the KDE Wallet to securely store saved browser passwords. Users of the stable version of Google's Webkit-based browser might be surprised to find out that, so far, passwords are stored on the hard disk as clear text. On Windows, Chrome has always used a platform-specific crypto API call for encrypted storage. The corresponding Linux function was never implemented — until now. Unstable versions of Chrome 7 still disable the feature by default; it can be enabled using a parameter."

3 of 177 comments (clear)

  1. Re:Wheel of Bug Chasers! by bonch · · Score: 5, Insightful

    Give me a break. You turn a bug bounty into a statement on American values. Your gameshow references are completely baseless and random. What a load of crap!

  2. Re:Wheel of Bug Chasers! by kdub432 · · Score: 3, Insightful

    This is one of the dumbest arguments I've ever seen on slashdot.

  3. Re:Wheel of Bug Chasers! by Dhalka226 · · Score: 4, Insightful

    Give ME a break. I can't believe the "bug bounty hunters" would really sell a Google vulnerability for a thousand dollars

    And yet they did. That must really shake your world view.

    Believe it or not, when normal people discover a vulnerability and their options are "run a bonet" and "tell the manufacturer," most of them tell the manufacturer. Getting $1000 for it is an added bonus, not the incentive to action.

    True, it's not going to create a whole new generation of professional bug bounty hunters living off their bounties, but that was never the intent. If they wanted to hire an army of extra bug hunters they'd put you on the payroll. If you're looking to get rich, do something else. If you're into it for the challenge or to be helpful or you happen to be mucking about with their browser as part of your day job, make a little extra money as Google's way of saying "thank you" for doing the right thing and helping them to make their free product--one you evidently use, if you're finding bugs in it--a better one.

    If that's not good enough for you, well, fine. Don't look for bugs. Don't pass Go, don't collect $1,000. Your time is apparently better spent trying to get yourself a spot on Wheel of Fortune.