Chrome 49 goes live as Google pays bug mercs $51k to patch 26 holes

Eight high-severity flaws found

Google has released Chrome version 49, closing 26 bugs and shelling out US$51,000 to support bug hunters.

Now in Chrome's stable channel, the new version sports eight high and five medium severity fixes.

Chrome test engineer Krishna Govind says Google paid US$36,500 (£33,334, A$49,671) for the bug bounty reports in the now stable version of Chrome, and an additional US$14,000 (£9879, A$19,050) for fixes in other Chrome channels.

"We would like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel," Govind says.

"Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, Control Flow Integrity or LibFuzzer."

Feature: The bug bounty boom.

Two same-origin bypasses were closed in Blink and the Pepper Plugin, three use-after-free holes shuttered in Blink and one each in WebRTC and Favicon.

The remaining holes included a SRI validation bypass, an out-of-bounds access in libpng, origin confusion, and an information leak.

Google launched its lucrative bug bounty five years ago and has since paid out US$6 million(£5.5 million, A$8.2 million) in bounties to researchers with an average of US$1.2 million (£1.1 million, A$1.6 million) paid out a year.

The largest payment was US$37,500 (£34,260, A$26,469) made to an Android security researcher last year. ®

Biting the hand that feeds IT © 1998–2019