In a significant move to bolster its browser security, Google has announced a substantial increase in its Chrome Vulnerability Reward Program (VRP) payouts. The tech giant is now offering up to $250,000 for a single critical vulnerability, effectively doubling the previous maximum reward. This decision underscores Google’s commitment to maintaining Chrome’s security and incentivizing researchers to uncover potential threats.
Enhanced Rewards for Memory Corruption Vulnerabilities
Google has implemented a new tiered reward system for memory corruption vulnerabilities, with payouts based on the quality of reports and the depth of researchers’ analysis. Basic reports demonstrating memory corruption in Chrome, complete with stack traces and proof-of-concept, can now earn up to $25,000. However, more comprehensive reports that showcase remote code execution (RCE) capabilities with working exploits will be valued significantly higher.
Maximum Payout for Critical Vulnerabilities
The most substantial reward, capped at $250,000, is reserved for demonstrating RCE in a process outside the sandbox. Google has also increased the bounty for RCE vulnerabilities that don’t require compromising the renderer, with additional payouts for renderer-based RCE attacks.
MiraclePtr Bypass and Other Vulnerability Classes
In addition to memory corruption vulnerabilities, Google has more than doubled the reward for bypassing MiraclePtr, a key security feature in Chrome. The new maximum payout for this category has increased from $100,115 to $250,128. The company also offers rewards for other vulnerability classes, with amounts varying based on their severity, impact, and potential harm to Chrome users.
Encouraging High-Quality Research and Reporting
Amy Ressler, a Chrome security engineer, emphasized the program’s focus on incentivizing thorough research and high-quality reports. She stated, “It’s time to update the reward amounts in the Chrome VRP to create a clearer structure and expectations for security researchers reporting bugs to us, as well as to encourage quality write-ups and deeper exploration of Chrome vulnerabilities to understand their full exploitation potential.”
Google maintains strict criteria for awarding bounties. Reports that fail to convincingly demonstrate security implications or potential user harm, or those that are purely theoretical or speculative, are unlikely to qualify for rewards under the VRP.
Since the launch of its bug bounty program in 2010, Google has paid out over $50 million to security researchers who have collectively identified more than 15,000 vulnerabilities. This latest increase in reward amounts reflects Google’s ongoing dedication to collaborative security efforts and its recognition of the vital role played by independent researchers in maintaining Chrome’s robust security posture.
As cyber threats continue to evolve, Google’s enhanced bug bounty program serves as a powerful incentive for the global security community to contribute to Chrome’s defense mechanisms. By fostering this collaborative approach, Google aims to stay ahead of potential vulnerabilities and ensure a safer browsing experience for millions of Chrome users worldwide.