While details on the vulnerabilities’ specifics are blocked by Google for now (the company wants a preponderance of users updated before opening the kimono to potentially nefarious types), the update does alert us that six of the flaws are high-risk bugs.
Several external researchers were able to claim a bounty, like Khalil Zhani, who collected $500 for a medium-risk flaw related to speech input elements [CVE-2013-6621], and Michel Aubizzierre, a.k.a. “Miaubiz,” who snagged $500 for the high-risk CVE-2013-6623 that involves an out of bounds read in SVG.
Jon Butler earned $1,000 for a high-risk flaw concerning use after free related to “id” attribute strings [CVE-2013-6624], while Antoine Delignat-Lavaud and Karthikeyan Bhargavan from Prosecco of INRIA Paris received $1,000 to share for a medium-risk issue that involved certificates not being checked during TLS renegotiation [CVE-2013-6628].
And the two biggest payouts went to “Skylined,” who realized $4,000 for an out-of-bounds read in HTTP parsing [CVE-2013-6627] and a hacker with the handle of “cloudfuzzer", who earned $2,000 each for two high-risk issues, one concerning media elements [CVE-2013-6622] and one found in DOM ranges [CVE-2013-6625].
Other non-bounty finds include the low-risk CVE-2013-6626, which involves address bar spoofing related to interstitial warnings (found by Chamal de Silva). Patrik Höglund of the Chromium project uncovered the high-risk CVE-2013-6631, for use after free in libjingle.
And finally, Google’s own Michal Zalewski found flaws leading to a read of uninitialized memory in libjpeg and libjpeg-turbo [medium-risk CVE-2013-6629 and CVE-2013-6630]. In addition, the medium-critical CVE-2013-2931 has various fixes from internal audits, fuzzing and other initiatives, Google said.
The $11,000 pales in comparison to previous payouts. In March, Google fixed 17 high-risk vulnerabilities in its Chrome update and doeld out a record $47,500 in bug bounties. Out of that, it gave $10,000 to each of three researchers as a “surprise bonus” for “sustained, extraordinary contributions” to fixing Chrome bugs. The three researchers were the aforementioned Miaubiz, Aki Helin and Arthur Gerkis.