A zero-day vulnerability is a software flaw that was unknown to the developer or vendor before they were alerted about it; this means that they had “zero-days” to fix it. Normally, a company that finds a zero-day vulnerability would tell the developer or the vendor even if they worked for a rival outfit. Why? Because it helps stop a malicious hacker, it helps clean up the industry, and because the company never knows when it might be on the other side of such a situation.
Google reveals the story on the chromium bugs site
He went on to say that the flaw “…was reported on June 5th, through my company. Yes it was late, there are multiple reasons for that. I first had to find the person responsible, the report had to be signed off by people and then the person responsible was OOO (out of the office). It’s commendable that Chrome decided to fix it asap, but I think there wasn’t any real urgency. Only you and my team was aware of it and the issue is likely not that great in a real-world scenario (doesn’t work on Android, pretty visible since it freezes the Chrome GUI for a few seconds.”
The original report, as noted, was dated March 26th and Google decided to reward the person who brought it to their attention with a “bug bounty” of $10,000. Who says that it doesn’t pay to be a bug exterminator? Also, it’s not unusual for flaws to be discovered during “Capture the Flag” hacker competitions.
