Bugs happen. We know this to be as true as other fundamental laws of physics so long as we have humans writing code to bring new features and improvements to Chromium. We also know some of these bugs will have security consequences, so we do a number of things to prevent, identify, and fix Chromium security bugs.
"fuzz" test Chrome to find new bugs and help engineers patch and test fixes. ClusterFuzz, as the system is affectionately named, consists of 12000+ cores and fuzzes hundreds of millions of test cases each day to produce de-duplicated security bugs with small reproducible test cases. Since it was built (in 2009), ClusterFuzz has helped us find and fix roughly two thousand security bugs in Chromium and other third party software.
security sheriff is a rotating role that handles all incoming and open security bugs. to all reported security bugs. We are committed to releasing a fix for any critical security vulnerabilities in under 60 days.
Chromium Vulnerability Rewards is our ongoing program to reward security bug reports in Chrome and Chrome OS.
Pwnium is a contest we run semi-regularly for proof-of-concept Chrome exploits. Our motivation is simple: we have a big learning opportunity when we receive full end-to-end exploits. Not only can we fix the bugs, but by studying the vulnerability and exploit techniques we can enhance our mitigations, automated testing, and sandboxing. This enables us to better protect our users.
Pwn2Own is an independent contest that similarly awards proof-of-concept exploits. We support these contests with sponsorships.