Google fixes Chrome holes, seeks security reform
Seven holes are fixed, six researchers who found them are paid bounties, and Google urges all software makers to fix serious problems within 60 days.
Just before thesecurity conference begins, Google has patched seven secuity holes in its stable version of Chrome and begun an effort to speed up the software industry's response to such vulnerabilities.
Google paid two $1,337 bounties for work that lets Chrome avoid critical security problems by sidestepping vulnerabilities in Windows and the widely used glibc software library, according to a Monday blog post about Chrome 5.0.375.125 by Jason Kersey of Google's Chrome team.
Also through its program to reward those who find Chrome security holes, Google issued payments to people who found three high-risk vulnerabilities and one medium-risk vulnerability. The final issue, a low-risk problem, elicited no payment.
That incentive program got more serious in July, when Google announced a new maximum reward of $3,133.7 for severe bugs. (If you're not in on the leetspeak joke, that means "eleet," better than the mere "leet" level that was attainable before.)
Google is trying to steer the security agenda in more ways than just paying those who find holes. In a blog post last week by a group of Googlers, Google called for reform to the "responsible disclosure" practice for sharing newly discovered vulnerabilities.
With responsible disclosure, a security researcher privately notifies a software maker of the vulnerability, announcing it only when the software maker has a fix ready. It contrasts with full disclosure, which gives no such grace period but which also lets users of the software know as soon as possible they may be affected. After all, a computer attacker might have discovered the vulnerability independently and could be exploiting it before the software company has a fix prepared.
"We've seen an increase in vendors invoking the principles of 'responsible' disclosure to delay fixing vulnerabilities indefinitely, sometimes for years; in that timeframe, these flaws are often rediscovered and used by rogue parties using the same tools and methodologies used by ethical researchers," the Googlers said in a blog post last week.
"We believe that responsible disclosure is a two-way street. Vendors, as well as researchers, must act responsibly. Serious bugs should be fixed within a reasonable timescale," they said. "Whilst every bug is unique, we would suggest that 60 days is a reasonable upper bound for a genuinely critical issue in widely deployed software."