Chrome is touting beefed-up security with the release of Chrome 106, which fixes 20 existing bugs, five of them high-severity.
Of the 20 total security fixes included, 16 were found by external researchers through Google’s bug bounty program. A blog post from Google Chrome’s Srinivas Sista listed the specific CVEs spotted by the bug bounty hunters, including five designated high-severity, which are as follows:
- CVE-2022-3304: Use after free in CSS. Reported by Anonymous on 2022-09-01
- CVE-2022-3201: Insufficient validation of untrusted input in Developer Tools. Reported by NDevTK on 2022-07-09
- CVE-2022-3305: Use after free in Survey. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-24
- CVE-2022-3306: Use after free in Survey. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-27
- CVE-2022-3307: Use after free in Media. Reported by Anonymous Telecommunications Corp. Ltd. on 2022-05-08
The biggest external researcher payout for far a bug that contributed to the latest Chrome 106 security update, according to Sista, was $9,000, the lowest was $1,000. Many payout amounts for other Chrome bug hunters are listed as “$TBD.”
As usual, Google did not list any technical details of the bugs.
“We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel,” Sista wrote. “As usual, our ongoing internal security work was responsible for a wide range of fixes.”
