For the second time in less than a year, researcher Mariusz Mlynski has been rewarded more than $30,000 through Google’s Chrome Rewards program.
Google on Wednesday released Chrome 56.0.02924.76 for Windows, Mac and Linux platforms, and Mlynski was acknowledged with finding and disclosing four high-severity vulnerabilities that were patched. The vulnerabilities earned Mlynski $32,337; last May, he pocketed $45,000 after finding a number of high-severity issues that were patched in the browser.
Mlynski has been an active browser vulnerability researcher, in particular at the annual Pwn2Own contest. In 2015, he used a cross-origin bug in Firefox to gain Windows admin privileges on a machine, earning himself $55,000; in 2014 he won another $50,000 with chaining together two Firefox flaws to gain privilege escalation on a Windows machine.
The latest version of Chrome includes patches for 51 vulnerabilities, seven of which that were rated high severity qualified for rewards. Google patched 14 high-severity bugs in total, with the remainder discovered internally.
Google is also expected to begin deprecating SHA-1 in this version of Chrome. In line with the other browser makers, Google said in November that it would remove support for SHA-1 certificates starting with Chrome 56; Microsoft and Mozilla have announced similar deprecation schedules through the next month.
SHA-1 has long been considered a weakened hashing algorithm and susceptible to collisions attacks. Experts are urging site owners and application developers to migrate to SHA-2 or other modern algorithms, but success on that front has been mixed.