It may come as something of a surprise to realize that the Google Chrome browser is 16 years old now. Just a couple of years behind is the Chrome Vulnerability Reward Program, which pays cash bounties to security researchers so as to keep improving the security of the browser with billions of users. Google has today announced changes to the Chrome VRP that provide both a clearer structure and new rewards that incentivize high-quality reporting and deeper research of Chrome vulnerabilities.
The Changes To Google’s Chrome Vulnerability Reward Program
Google has decided to migrate from offering a relatively simple single table view of rewards for reported vulnerabilities that have not been mitigated, and to separate memory corruption flaws from the rest of the bugs. “This will allow us to better incentivize more impactful research in each area,” said Amy Ressler, a security engineer with the Chrome security team, “and also reward for higher quality and more impactful reporting.”
Google Chrome Memory Corruption Vulnerability Rewards
Let’s start with the memory corruption vulnerabilities area, which has seen a complete remodeling into four distinct categories:
- A high-quality report with a clear demonstration of remote code execution through a functional exploit.
- A high-quality report demonstrating attacker controlled write of arbitrary locations in memory.
- A high-quality report demonstrating memory corruption in Chrome.
- A baseline report consisting of a stack trace and proof of concept to evidence a triggerable memory corruption in Chrome.
In order to incentivize that deeper research into not only a vulnerability but also the consequences of it being exploited, Ressler confirmed that reward bounties have increased across all but the baseline category, as can be seen in the table below. This means that the most a hacker can expect to receive by way of a bounty for a single issue is now $250,000, although this can be increased, Ressler said, “if the RCE in a non-sandboxed process can be achieved without a renderer compromise.”
Other Chrome Bugs Categorized By Impact
Of course, while memory corruption vulnerabilities may be the most valuable, they are far from the only Google Chrome bugs that can be found. The changes to the VRP structure are, therefore, also designed to encourage “more deterministic reward decisions based on report quality, impact, and the potential harm for people using Chrome.” Ressler’s post confirms these will be divided into three categories depending upon their level of impact.
Low impact are those vulnerabilities where the potential for being exploited is lower, along with the necessary exploit preconditions being significant. In other words, the ones with less attacker control and less potential to do serious user harm.
Moderate impact, as you might expect, sits ion the middle for those vulnerabilities that require a moderate degree of exploit preconditions and give the attacker a middling degree of control.
The highest impact category is for vulnerabilities with the easiest of exploit paths along with remote exploitability and both demonstrable and significant harm to users.
MiraclePtr Bypass Exploit Rewards More Than Double To $250,128
It’s worth noting that one particular type of reward, that for a MiraclePtr bypass, has been more than doubled from $100,115 to $250,128. As explained in some technical detail in a 2022 Google security post, MiraclePtr is a technology to prevent exploitation of use-after-free bugs. As such, any bypass is a pretty serious matter and this is reflected in the new bounty. As of Chrome 128, Ressler said, “MiraclePtr-protected bugs in non-renderer processes are no longer considered security bugs. As such, MiraclePtr is considered a declarative security boundary.”