The Chromium Projects

Search this site

Except as otherwise noted, the content of this page is licensed under a Creative Commons Attribution 2.5 license, and examples are licensed under the BSD License.
Chromium‎ > ‎

Chromium Security

Security is a key focus of the Chromium project and the Google Chrome browser. To learn more:

How can I get involved?

Find bugs
One of the quickest ways to get involved is finding and reporting security bugs. It will get prompt attention from a security sheriffbe kept private until we coordinate disclosure, and possibly qualify for a cash reward through our Vulnerability Rewards Program. We occasionally run security contests outside of our regular reward program (e.g. Pwnium2, Pwnium3) too.

For any issues other than a specific bug, email us at security@chromium.org. For non-confidential discussions, please post to the technical discussion forums.

Eventually, fix bugs
Access to Chromium security bugs is restricted to projects members on a "need to know" basis. For eligibility, applicants are expected to have made and continue to make active and significant contributions to Chromium security. You should demonstrate at least one of the following before applying:
  • Relevant technical expertise and a history of resolving Chromium security issues.
  • A history of identifying and responsibly reporting Chromium security vulnerabilities.
  • Other expertise and/or roles that would allow the applicant to significantly contribute to Chromium security on a regular basis.
To apply for membership, please email security@chromium.org. 

Check out Security HelpWanted
We tag security ideas that we'd like to do (but don't have the current bandwidth for) with Cr-Security and HelpWanted. Check them out here.

How can I get access to Chromium vulnerabilities?

A history of fixed Chromium security bugs is best found via security notes in Stable Channel updates on the Google Chrome releases blog. You can also find fixed, publicly visible Type=Bug-Security bugs in the issue tracker. All security bugs are rated according to our severity guidelines, which we keep in line with industry standards. 

Advance notice of (fixed) Chromium security vulnerabilities is restricted to those actively building products based upon Chromium, or including Chromium as part of bundled software distributions. If you meet the criteria, and require advanced notice of vulnerabilities, request access via security-notify@chromium.org. Your email should explain your need for access (embedder, Linux distribution, etc.) and your continued access will require that you follow the terms of list membership.

There is one simple rule for any party with advance access to security vulnerabilities in Chromium: any details of a vulnerability should be considered confidential and only shared on a need to know basis until such time that the vulnerability is responsibly disclosed by the Chromium project. Additionally, any vulnerabilities in third-party dependencies (e.g. WebKit) must be treated with the same consideration. Access will be terminated for any member who fails to comply with this rule in letter or spirit.