site/Home/chromium-security/brag-sheet.md

breadcrumbs: Chromium Security > page_name: brag-sheet title: Security Brag Sheet

Our Team and Resources

Our team includes some of the best security professionals in the business.
We work closely with top researchers like Michal Zalewski (lcamtuf) and Tavis Ormandy (taviso).
We contract with experts like iSec Partners and Chris Rohlf for targeted assessments.
We dedicate thousands of CPU cores to fuzz projects such as WebKit, Adobe Flash or Chrome's PDF viewer.

White Papers

Chrome leads in white papers from 2 different security firms.
Chrome leads in white paper from respected security firm Accuvant.
Chrome leads in response time and reward program effectiveness in this independent study from Berkeley.
Chrome leads in recommendations from respected German government organization, the BSI.

Containing Attacks

We have an integrated sandbox that reduces the impact of most common vulnerabilities, and is much stronger than approaches used by other browsers.
We have Site Isolation to protect website data from compromised renderer processes and side channel attacks like Spectre.
We have critical security vulnerabilities relatively infrequently compared to other browsers.
We have leading sandbox protection for the Adobe Flash plug-in.
We have unique techniques for significantly mitigating the security risks posed by plug-ins.
We have a robust built-in sandboxed PDF viewer which has leading security.
We implement Strict Transport Security and preloaded public key pinning, which protected our users against the fraudulent Diginotar certificate for *.google.com.
We implement root CA verification by the underlying operating system.
We have leading HTTPS security through features such as mixed script blocking.

Vulnerability Response

We are committed to releasing a fix for any critical security vulnerabilities in under 60 days.
On average, we release fixes for high and critical severity vulnerabilities in about 30 days.
We have a demonstrated ability to get fixes to users in under 24 hours.
We ensure updates are deployed in a timely manner, and invest in new technologies to do so.
We have a Vulnerability Rewards Program to encourage third-party researchers to report vulnerabilities they discover.
We work with the security community and have a Security Hall of Fame to acknowledge third-parties that materially contribute to improving our security.
We have the successful Pwnium competition, with large prizes, to keep us up to date with the latest, most advanced attacks.

Advanced Anti- Phishing and Malware defenses

We warn you when you‘re about to visit a website we’ve previously identify as a malware or phishing site.
We keep the user better informed against phishing and similar attacks by presenting the most relevant information.
We implement new, browser-based security enhancements to protect you against malicious sites.

High profile researchers and publications say nice things about us

A Fortune article's headline subtext: “Google's record on Chrome browser security is impressive, and that is important.”
An interview with Dino Dai Zovi and Charlie Miller: “I recommend that users surf the web with Google Chrome, disable unnecessary plug-ins, and use site-based plug-in security settings for the plug-ins that they do need.”
An article noting Chrome's unique 3-years-in-a-row survival at the Pwn2Own competition: “the browser will have survived three consecutive Pwn2Owns, a record.”
An article noting our agility and fast security updates: “Google has once again reacted faster than Adobe itself”
A more mainstream publication interviews HD Moore, who calls Chrome the toughest browser: “Chrome was likely the most difficult target due to the extensive sandboxing.”
An article in the very mainstream Washington Post notes that whilst other browsers are starting to chase Chrome's speed, Chrome is still the choice of the security conscious: “Both IE 9 and Firefox 4 look like major, welcome advances. But each falls short of Chrome in one key aspect: security.”
A TIME article's headline includes: “Google Stays Strong”
An interesting interview with John Wilandar and Chaouki Bekrar (VUPEN CEO). The interview is nominally about Firefox 4 but includes quotes such as “I‘d say Chrome’s sandboxing model still beats all the other browsers from an end user perspective.”, “At VUPEN, we measure the security of web browsers not by counting the number of their vulnerabilities, but by counting the number of days, weeks, or months that the vendor is taking to fix vulnerabilities affecting their browsers... Today, Google is fixing Chrome vulnerabilities much faster than any other vendor – usually one or two security updates each month. Microsoft, Mozilla, and Apple are are usually releasing security updates for their browsers every 3 months, which is too long.”, “Relying on third-party auditor through reward and bounty programs is the most effective way to improve the security of browsers”.