Google Boosts Reward Payments for Discovering Security Flaws in Chrome

in a significant move to enhance the security of its chrome browser google has updated its vulnerability reward program vrp for discovering security vulnerabilities this development is expected to attract more security experts to participate in the program leading to a more secure browsing experience for chrome users

The New Reward Structure

  • Critical vulnerabilities: Up to $30,000 (previously $15,000)
  • High-severity vulnerabilities: Up to $15,000 (previously $5,000)
  • Medium-severity vulnerabilities: Up to $5,000 (previously $1,000)
  • Low-severity vulnerabilities: Up to $1,000 (previously $500)
Vulnerability Type High-Quality Report (High Impact) High-Quality Report (Moderate Impact) Baseline/Lower Impact
UXSS / Site Isolation Bypass Up to $30,000 Up to $20,000 Up to $10,000
Security UI Spoofing Up to $10,000 Up to $5,000 Up to $3,000
User Information Disclosure Up to $25,000 Up to $10,000 Up to $2,000
Local Privilege Escalation Up to $15,000 Up to $5,000 Up to $2,000
Web Platform Privilege Escalation Up to $7,000 Up to $4,000 Up to $1,000
Exploitation Mitigation Bypass Up to $5,000 Up to $4,000 Up to $1,000

Vulnerability Reward Program, offering up to $250,000 for memory corruption bugs that demonstrate remote code execution (RCE) in a non-sandboxed process. Reports that show controlled writing of arbitrary memory locations can earn up to $90,000, while demonstrated memory corruption issues can receive up to $35,000. Baseline reports continue to be capped at $25,000.

Additionally, Google has revised rewards for memory corruption or RCE vulnerabilities in highly privileged processes, such as GPU or network processes, with potential rewards reaching up to $85,000.

For non-memory corruption vulnerabilities, rewards are based on the quality of the report, the impact, and the potential harm to users. High-quality reports of high-impact vulnerabilities, such as UXSS or site isolation bypass, can earn up to $30,000, while moderate impact reports may receive up to $20,000. Lower impact reports are eligible for rewards up to $10,000. The reward amounts also vary depending on the type of vulnerability, including security UI spoofing, user information disclosure, local privilege escalation, and exploitation mitigation bypass.

In a related update, Google has announced an increase in the MiraclePtr Bypass Reward, raising the amount to $250,128 for a valid submission. This change follows adjustments to Chrome’s security model, where MiraclePtr-protected bugs in non-renderer processes are no longer classified as security vulnerabilities.

Why the Increase in Reward Payments?

Google’s decision to increase reward payments is a strategic move to encourage more security researchers to participate in its VRP. By offering higher rewards, Google aims to attract top talent in the security industry, leading to the discovery of more critical security flaws and ultimately, a more secure Chrome browser.

The Impact on Chrome Security

The increased reward payments are expected to have a significant impact on Chrome’s security. With more security experts participating in the VRP, Google will receive more reports of security vulnerabilities, which will enable the company to fix these issues more quickly and efficiently. This, in turn, will lead to a more secure browsing experience for Chrome users.

Leave a Comment

Your email address will not be published. Required fields are marked *