VTracker
A Tool to keep track of Chrome Releases and automtically point out V8 commits using Bug ID.
Motivation
Staying up to date with the latest bugs/N-Days in Chromium is crucial (and exciting!), but the process can be quite tedious. Typically, one has to navigate to the Chrome Releases blog for a specific month, locate the Stable Desktop Release post, dig into the linked git logs, and manually trace each bug. If the bug is related to V8, the process becomes even more complex, requiring additional investigation across separate V8 git logs. Identifying the exact commit corresponding to a specific Bug ID is time-consuming and can often lead to confusion or oversight.
I wanted a tool that could automate this entire process: extract bugs, match them to commits, and display both the bug description and the relevant commit… automatically. That’s why I built VTracker.
Inspired by @ret2happy’s excellent BugsAggregator, which provides a similar aggregation for recent Chromium bugs, I set out to create a streamlined tool focused on newly released issues—especially those still marked as restricted in the Chromium issue tracker.
Implementation
VTracker automates the same process a security researcher would manually follow. It begins by fetching posts from the Chrome Releases blog, specifically aggregating all advisory links under Stable Releases for Desktop, which is typically posted by Google one to thrice per month. From these advisories, it extracts detailed vulnerability information, including all relevant Bug IDs.
The critical next step is to correlate these Bug IDs with corresponding commits in the Chromium Git logs, and, when applicable, the V8 Git logs (for V8-related issues). Once this mapping is complete, the tool presents the matched information in a clean, structured format.
This allows researchers to instantly view the bugs disclosed in a specific month (or the most recent one), along with the exact commits where those bugs were fixed—eliminating the need to manually sift through extensive commit logs. As a result, researchers can focus directly on analyzing the patch diffs and understanding the root cause, in a much more efficient and streamlined way.
Usage
First git clone the repository and inside it, create a python virtual environment
1
2
python3 -m venv venv
source venv/bin/activate
Then install the requirements using this command
1
pip3 install requests termcolor bs4
After which you may run the script using -
1
python3 app.py --help
If everything goes correctly, you’ll be greeted by this menu -
Just supply the --year (between 2009-current year) and --month (value between 1-12), and you’re good to go!
Example -
1
python3 app.py --year 2024 --month 10 # Fetches the Chrome Release for 2024/10
Case Study
Although VTracker is nothing but a result of sheer automation, the real question is: does it really work? To find out, I’ll walk through a case study (or just a test-drive) on the latest Chrome Release (2025/06) to check if our tool automatically fetches the information and tags the corresponding Git commits correctly.
We’ll run the command -
1
python3 app.py --year 2025 --month 6 # Fetches the Chrome Release for 2025/06
and observe the results -
At the outset, VTracker scans the Chrome Releases page to identify up to three separate entries for Stable Releases for Desktop, each associated with a specific release date. These entries may contain important vulnerability information relevant to recent updates.
The tool then parses each advisory link individually to extract detailed vulnerability information. Using the Git logs, it matches each Bug ID to its corresponding commit, effectively identifying the exact change where the bug was fixed. This process is demonstrated clearly in the case of CVE-2025-6192, where the tool correctly identifies the fix commit as a41716a9f6074a035d4ccd247844b021b0bce090. This mapping can be manually verified by following the associated links and confirming the Bug ID in the commit message.
For V8-related bugs, VTracker performs an additional step by locating V8 commit links within the Chromium Git Logs. It then visits each link and identifies the specific V8 commit that corresponds to the Bug ID, ensuring accurate mapping for V8 fixes.
This is clearly demonstrated above with the V8 bug CVE-2025-6554, which was recently reported and fixed. VTracker accurately identifies the fix commit as 069790710f28b00ff8d7b4c665eef6b4eb8768f6. This mapping can be manually verified by reviewing the linked commit and confirming the presence of the corresponding Bug ID in the commit message.
In this way, VTracker enables quick extraction of all recent bugs for a given month directly from the Chrome Releases blog, with accurate mapping of each bug to its corresponding fix commit. This eliminates the tedious and time-consuming task of manually searching through Git logs, allowing researchers to focus their efforts on root cause analysis and patch review—rather than wasting time trying to “find Waldo” in a sea of commits.
If you wish to try out VTracker, you can find it on my Github.
Linux (x86_64), Windows, MacOS all are supported.
Credits
- @xvonfers for helping with script to detect commits using Bug ID which are not covered in Chrome Releases Git Log which VTracker refers for info. Reference
Hey There! If you’ve come across any bugs or have ideas for improvements, feel free to reach out to me on X! If your suggestion proves helpful and gets implemented, I’ll gladly credit you in this dedicated Credits section. Thanks for reading!