Google Announces Adjustment to Chrome Vulnerability Security Reward Program, Single Vulnerabilities Now Eligible for Up to $250,000 Reward

Google is attracting more security researchers to participate in improving the security of the Chrome browser by continuing to increase the bounty rewards. Google recently announced that it has raised the maximum reward for a single vulnerability in the Chrome Vulnerability Rewards Program (VRP) to $250,000.

A Google security engineer stated in a blog:

By adjusting the rewards and amounts of the Chrome VRP, we aim to provide a better structure and clearer expectations for security researchers participating in Chrome vulnerability research. This encourages security researchers to delve deeper into researching Chrome vulnerabilities and submit higher quality vulnerability reports.

The maximum potential reward for an individual vulnerability has now been increased to $250,000. This reward level applies to demonstrating Remote Code Execution (RCE) in non-sandboxed processes: a higher amount is eligible if RCE can be achieved in a non-sandboxed process without breaking the renderer, including a Renderer RCE reward.

Google also mentioned that the reward for bypassing MiraclePtr vulnerabilities has doubled from 100,115 to250,128. MiraclePtr is a security mitigation solution introduced by Google for Chrome to mitigate the harm of Use-After-Free (UaF) class vulnerabilities.

Below are the vulnerability levels classified by Google:

• Minor Impact Vulnerabilities: Very low usability, clear prerequisites for exploitation, low capability for attackers to manipulate, low risk to users.
• Moderate Impact Vulnerabilities: Moderate prerequisites for exploitation, moderate capability for attackers to manipulate.
• High Impact Vulnerabilities: Direct exploitable paths, provable significant harm, remotely exploitable, and very low prerequisites.

All security vulnerability reports that contain characteristics of applicable levels are eligible for a reward. Google is also exploring more experimental reward opportunities, similar to previous instances where discovering a full chain of vulnerabilities could result in additional rewards.

Of course, if a submitted report does not demonstrate potential security harm or poses very minimal harm to users, or if it is purely theoretical or speculative, it is unlikely to receive a reward from Google.