Google today announced significantly higher bug bounty rewards for vulnerability reports containing full chain exploits leading to a sandbox escape in Chrome.
Until December 1, 2023, the first report to contain a full chain exploit leading to a Chrome sandbox escape, Google says, may receive up to $180,000, or even more if cumulated with other bonuses, which is triple the current reward amount.
Subsequent full chain exploits that are submitted during the timeframe may receive up to $120,000, which is double the current reward amount. All reports should be submitted through the Chrome vulnerability rewards program.
“We’re always interested in explorations of new and novel approaches to fully exploit Chrome browser and we want to provide opportunities to better incentivize this type of research. These exploits provide us valuable insight into the potential attack vectors for exploiting Chrome, and allow us to identify strategies for better hardening specific Chrome features,” the internet giant says.
According to Google, interested researchers may submit the vulnerability report in advance, but need to provide a functional exploit by December 1 to be eligible for the increased rewards.
The first functional full chain exploit submitted during the timeframe, which demonstrates attacker control or code execution outside the Chrome sandbox, is eligible for the triple reward amount.
The exploit chain should be performed remotely and require no or very limited user interaction. Furthermore, it should target an active Chrome release channel “at the time of the initial reports of the bugs in that chain”.
Exploits targeting publicly disclosed bugs in past versions of Chrome are not eligible for the reward.