Google has more than doubled payouts for Google Chrome security flaws reported through its Vulnerability Reward Program, with the maximum possible reward for a single bug now exceeding $250,000.
Starting today, the search giant will differentiate memory corruption vulnerabilities depending on the quality of the report and the researcher’s drive to find the full impact of the reported issues.
The rewards will significantly increase from baseline reports demonstrating Chrome memory corruption with stack traces and a proof-of-concept (with rewards of up to $25,000) to a high-quality report with remote code execution demonstration through a functional exploit.
“It is time to evolve Chrome VRP rewards and amounts to provide an improved structure and clearer expectations for security researchers reporting bugs to us and to incentivize high-quality reporting and deeper research of Chrome vulnerabilities, exploring them to their full impact and exploitability potential,” said Chrome Security engineer Amy Ressler.
“The highest potential reward amount for a single issue is now $250,000 for demonstrated RCE in a non-sandboxed process. If the RCE in a non-sandboxed process can be achieved without a renderer compromise, it is eligible for an even higher amount, to include the renderer RCE reward.”
The company has also more than doubled reward amounts for MiraclePtr bypasses to $250,128 from $100,115 when the MiraclePtr Bypass Reward was launched.
Google also categorizes and will reward reports for other classes of vulnerabilities depending on their quality, impact, and potential harm to Chrome users as:
- Lower impact: low potential for exploitability, significant preconditions to exploit, low attacker control, low risk/potential for user harm
- Moderate impact: moderate preconditions to exploit, fair degree of attacker control
- High impact: straight-forward path to exploitability, demonstrable and significant user harm, remote exploitability, low preconditions to exploit
“All reports are still eligible for bonus rewards when they include the applicable characteristics. We will continue exploring more experimental reward opportunities, similar to the previous Full Chain Exploit Reward, and evolving our program in ways to better serve the security community,” Ressler added.
“Reports that don’t demonstrate security impact or the potential for user harm, or are purely reports of theoretical or speculative issues are unlikely to be eligible for a VRP reward.”
Earlier this month, Google also announced that its Play Security Reward Program (GPSRP) will close for submissions of new reports at the end of this month, on August 31, because of a “decrease in the number of actionable vulnerabilities reported.”
In July, it also launched kvmCTF, a new VRP first unveiled in October 2023 to improve the security of the Kernel-based Virtual Machine (KVM) hypervisor, offering $250,000 bounties for full VM escape exploits.
Since it launched its Vulnerability Reward Program (VRP) in 2010, Google has paid over $50 million in bug bounty rewards to security researchers who reported more than 15,000 vulnerabilities.