Google increases Chrome bug bounty rewards up to $250,000

30 August 2024, 17:50 published

[ad_1]

To mark Google Chrome’s 16th anniversary, and its associated Vulnerability Reward Program (VRP)’s 14th birthday, Google has announced a series of updates to the scheme designed to attract security and vulnerability researchers to share details of arising issues.

In a blog post by Information Security Engineer Amy Ressler, the scheme is being described as undergoing an evolution “to incentivize high-quality reporting and deeper research of Chrome vulnerabilities.”

As part of the updates, Google has made up to $250,000 available for demonstrated remote code execution in a non-sandboxed process.

Google increases its Chrome VRP bounties

Ressler shared: “If the RCE in a non-sandboxed process can be achieved without a renderer compromise, it is eligible for an even higher reward, to include the renderer RCE reward.”

Beside memory corruption bugs, Google will also consider reports regarding other vulnerabilities, with rewards ranging from $1,000 to $30,000 based on a scale of lower, moderate and high impact.

The company will also consider MiraclePtr a declarative security boundary, stripping MiraclePtr-protected bugs in non-renderer processes from their security bug status. Consequentially, from Chrome 128, a valid submission of a MiraclePtr bypass could return a reward of up to $250,128, more than double the $100,115 previously available.

Google confirmed: “Reports that don’t demonstrate security impact or the potential for user harm, or are purely reports of theoretical or speculative issues are unlikely to be eligible for a VRP reward.”

Looking ahead, Chrome’s developers have committed to exploring more experimental reward opportunities and evolving its program “to better serve the security community.”

Moreover, Google rolled out updates to its other schemes earlier this summer, with some RCE reports capable of bringing in more than $150,000 in rewards. At the time, information security engineers Sam Erb and Krzysztof Kotowicz explained that Google’s systems have become more secure, thus developers should be eligible for higher rewards.