Security Experts:

Connect with us

Hi, what are you looking for?



Google Awards $40,000 for Chrome Sandbox Escape Vulnerabilities

Google has paid out a total of $40,000 for a couple of vulnerabilities that can be exploited to escape Chrome’s sandbox.

Google has paid out a total of $40,000 for a couple of vulnerabilities that can be exploited to escape Chrome’s sandbox.

Google last week announced the release of an update for Chrome 77. Chrome 77.0.3865.90 should address a total of four vulnerabilities: a critical use-after-free bug in the UI, reported by Khalil Zhani; two high-severity use-after-free bugs in the media component; and a high-severity use-after-free in offline pages, reported by Brendon Tiszka.

While Google has yet to determine how much it will award Zhani and Tiszka for their findings, the tech giant has decided to pay out $20,000 for each of the media vulnerabilities.

The flaws, tracked as CVE-2019-13688 and CVE-2019-13687, were reported to Google by Man Yue Mo of the Semmle Security Research Team.

Fermín Serna, the CSO of Semmle, told SecurityWeek that the vulnerabilities are not very useful to attackers on their own, but can be highly valuable if combined with another type of weakness.

“The two vulnerabilities require an already compromised renderer and allows breaking out of Chrome’s sandbox. This means that another vulnerability is needed first for a chain to browse a website and get unsandboxed code execution. It is still very valuable to be able to bypass Chrome’s mitigations,” he explained via email.

Serna says his company has asked Google to donate the $40,000 reward. Google states in the rules of its Chrome Vulnerability Reward Program that it’s prepared to double donations if researchers want to donate their reward to a registered charity.

Semmle recently also earned a $10,000 bounty from Facebook for a critical DoS vulnerability in the social media giant’s Fizz TLS library. That bounty was also donated to charity and the amount was doubled by Facebook.

The company was also credited last year for finding a critical remote code execution vulnerability in the Apache Struts 2 open source development framework.

Semmle announced its global launch in August 2018, after raising $21 million in a Series B funding round. The company offers technologies designed to help organizations find coding errors that can introduce critical vulnerabilities, and for these technologies it was recently acquired by Microsoft-owned GitHub.

Related: Google Patches Actively Exploited Chrome Vulnerability

Related: Chrome 76 Patches 43 Vulnerabilities

Related: Chrome 77 Released with 52 Security Fixes

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.