Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Now Offering Up to $250,000 for Chrome Vulnerabilities

Google has significantly increased the rewards for Chrome browser vulnerabilities, offering up to $250,000 for remote code execution bugs.

Google

Google today announced significantly boosted rewards for Chrome browser vulnerabilities reported through its Vulnerability Reward Program (VRP).

With the updated rewards, security researchers may earn as much as $250,000 for a single issue, or even more if specific conditions are met. Just as before, the highest payouts will go to researchers who demonstrate memory corruption bugs in non-sandboxed processes.

For memory corruption flaws, Google expects researchers to provide high-quality reports demonstrating remote code execution (RCE) with functional exploits, the controlled write of arbitrary locations in memory, or the triggering of memory corruption.

Google is willing to pay out as much as $250,000 for demonstrated RCE in a non-sandboxed process, and may add an additional reward if the proof-of-concept (PoC) code achieves RCE without a renderer compromise.

Reports demonstrating controlled write in a non-sandboxed process may earn researchers up to $90,000, while reports demonstrating memory corruption may be awarded rewards of up to $35,000.

The internet giant says it will offer rewards of up to $85,000 for reports demonstrating RCE in a highly-privileged process and up to $55,000 for reports demonstrating RCE in a sandboxed process.

The reward amounts for baseline reports of memory corruption have been set at $25,000, $10,000, and $7,000, and Google says these will remain consistent, as the boosted reward amounts in the other categories are expected to incentivize “deeper research into the full consequences of a given issue”.

The same as for memory corruption bugs, the internet giant will be offering rewards for other classes of vulnerabilities based on report quality, impact, and the potential harm for Chrome users.

Advertisement. Scroll to continue reading.

Google will pay out up to $30,000 for high-quality reports describing client-side flaws in the browser leading to cross-site scripting (XSS) conditions, or site isolation bypasses.

The reward for any vulnerability that bypasses MiraclePtr, the technology that reduces the exploitability of use-after-free issues in Chrome, has been increased to $250,128, compared to $100,115 before.

Bonus rewards will also be handed out for reports that include the applicable characteristics, the internet giant says.

Related: Google Boosts Bug Bounty Payouts Tenfold in Mobile App Security Push

Related: Google Play Bug Bounty Program Shutting Down

Related: Samsung Bug Bounty Program Payouts Reach $5M, Top Reward Increased to $1M

Related: Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Jill Popelka has been appointed CEO at Darktrace, after serving as COO for three months.

GitHub has appointed Alexis Wales as its new Chief Information Security Officer.

Cybersecurity and intelligence solutions provider Nightwing has appointed Christopher Jones as CTO and CDO.

More People On The Move

Expert Insights