Security Experts:

Connect with us

Hi, what are you looking for?



Google Awards $40,000 for Chrome Sandbox Escape Vulnerabilities

Google has paid out a total of $40,000 for a couple of vulnerabilities that can be exploited to escape Chrome’s sandbox.

Google has paid out a total of $40,000 for a couple of vulnerabilities that can be exploited to escape Chrome’s sandbox.

Google last week announced the release of an update for Chrome 77. Chrome 77.0.3865.90 should address a total of four vulnerabilities: a critical use-after-free bug in the UI, reported by Khalil Zhani; two high-severity use-after-free bugs in the media component; and a high-severity use-after-free in offline pages, reported by Brendon Tiszka.

While Google has yet to determine how much it will award Zhani and Tiszka for their findings, the tech giant has decided to pay out $20,000 for each of the media vulnerabilities.

The flaws, tracked as CVE-2019-13688 and CVE-2019-13687, were reported to Google by Man Yue Mo of the Semmle Security Research Team.

Fermín Serna, the CSO of Semmle, told SecurityWeek that the vulnerabilities are not very useful to attackers on their own, but can be highly valuable if combined with another type of weakness.

“The two vulnerabilities require an already compromised renderer and allows breaking out of Chrome’s sandbox. This means that another vulnerability is needed first for a chain to browse a website and get unsandboxed code execution. It is still very valuable to be able to bypass Chrome’s mitigations,” he explained via email.

Serna says his company has asked Google to donate the $40,000 reward. Google states in the rules of its Chrome Vulnerability Reward Program that it’s prepared to double donations if researchers want to donate their reward to a registered charity.

Semmle recently also earned a $10,000 bounty from Facebook for a critical DoS vulnerability in the social media giant’s Fizz TLS library. That bounty was also donated to charity and the amount was doubled by Facebook.

The company was also credited last year for finding a critical remote code execution vulnerability in the Apache Struts 2 open source development framework.

Semmle announced its global launch in August 2018, after raising $21 million in a Series B funding round. The company offers technologies designed to help organizations find coding errors that can introduce critical vulnerabilities, and for these technologies it was recently acquired by Microsoft-owned GitHub.

Related: Google Patches Actively Exploited Chrome Vulnerability

Related: Chrome 76 Patches 43 Vulnerabilities

Related: Chrome 77 Released with 52 Security Fixes

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet