The search giant highlighted fixes “that were either contributed by external researchers or particularly interesting.” In total, eight outside researchers were paid a total of $13,500 in bounties for uncovering nine of the 28 flaws.
Top-grossing payouts went to theShow3511, who raked in $3,000 for the high-risk CVE-2013-6654, a bad cast in SVG, and cloudfuzzer, who also earned $3,000 for the high-risk CVE-2013-6655 use-after-free flaw in layout. The latter was also a,warded $2000 for a medium-risk CVE-2013-6658, also a use-after-free issue in layout.
$2,000 went to tyranid for the high-risk CVE-2013-6652 vulnerability: an issue with relative paths in Windows sandbox named pipe policy. $1,000 went to Khalil Zhani for the high-risk CVE-2013-6653, a use-after-free flaw related to Web contents.
$500 and $1,000 went to NeexEmil for two separate information leaks in the XSS auditor – a high-risk (CVE-2013-6656), and a medium-risk version (CVE-2013-6657).
Also, Antoine Delignat-Lavaud and Karthikeyan Bhargavan from Prosecco, Inria Paris earned $1,000 for a medium-risk issue with certificate validation in the TLS handshake (CVE-2013-6659). And, bishopjeffreys uncovered a low-risk information leak in drag-and-drop (CVE-2013-6660).
So far this year, Google has paid out more than $21,000 in bug bounties.
Google’s ongoing internal security work was responsible for a wide range of patches, including for the low-high-risk CVE-2013-6661. It culled the various fixes from internal audits, fuzzing and other initiatives, it said. Of these, seven are fixes for issues that could have allowed for sandbox escapes from compromised renderers.
Chrome 33 also debuted notifications for the Siri-like Google Now digital assistant within the browser on Windows and Apple's OS X, and includes the latest version of Adobe's Flash Player.