Bugs happen. We know this to be as true as other fundamental laws of physics so long as we have humans writing code to bring new features and improvements to Chromium. We also know some of these bugs will have security consequences, so we do a number of things to prevent, identify, and fix Chromium security bugs.
We've build fuzzing infrastructure that automatically and continuously security "fuzz" test Chrome to find new bugs and help engineers patch and test fixes. ClusterFuzz, as the system is affectionately named, consists of 12000+ cores and fuzzes hundreds of millions of test cases each day to produce de-duplicated security bugs with small reproducible test cases. Since it was built (in 2009), ClusterFuzz has helped us find and fix roughly two thousand security bugs in Chromium and other third party software.
The security sheriff is a rotating role that handles all incoming and open security bugs. to all reported security bugs. We are committed to releasing a fix for any critical security vulnerabilities in under 60 days.
We try to reward awesome security research from external folks in a few ways: Chromium Vulnerability Rewardsis our ongoing program to reward security bug reports in Chrome and Chrome OS. Pwnium is a contest we run semi-regularly for proof-of-concept Chrome exploits. Our motivation is simple: we have a big learning opportunity when we receive full end-to-end exploits. Not only can we fix the bugs, but by studying the vulnerability and exploit techniques we can enhance our mitigations, automated testing, and sandboxing. This enables us to better protect our users.
- Pwnium 4 at CanSecWest in March, 2014. results.
- Pwnium 3 at CanSecWest in 2013: results
- Pwnium 2 at Hack in the Box in 2012: results
- Pwnium 1 at CanSecWest in 2012: results (Part 1, Part 2)
Pwn2Own is an independent contest that similarly awards proof-of-concept exploits. We support these contests with sponsorships.
- Pwn2Own at CanSecWest 2014: results.
- Pwn2Own at PacSec 2013: Chrome on Android exploit writeup
- Pwn2Own at CanSecWest 2013: results, MWR labs' write up of their Chrome exploit (Part 1) (Part 2)