Google Boosts Reward Payments for Discovering Security Flaws in Chrome
in a significant move to enhance the security of its chrome browser google has updated its vulnerability reward program vrp for discovering security vulnerabilities this development is expected to attract more security experts to participate in the program leading to a more secure browsing experience for chrome users
The New Reward Structure
- Critical vulnerabilities: Up to $30,000 (previously $15,000)
- High-severity vulnerabilities: Up to $15,000 (previously $5,000)
- Medium-severity vulnerabilities: Up to $5,000 (previously $1,000)
- Low-severity vulnerabilities: Up to $1,000 (previously $500)
Vulnerability Type | High-Quality Report (High Impact) | High-Quality Report (Moderate Impact) | Baseline/Lower Impact |
UXSS / Site Isolation Bypass | Up to $30,000 | Up to $20,000 | Up to $10,000 |
Security UI Spoofing | Up to $10,000 | Up to $5,000 | Up to $3,000 |
User Information Disclosure | Up to $25,000 | Up to $10,000 | Up to $2,000 |
Local Privilege Escalation | Up to $15,000 | Up to $5,000 | Up to $2,000 |
Web Platform Privilege Escalation | Up to $7,000 | Up to $4,000 | Up to $1,000 |
Exploitation Mitigation Bypass | Up to $5,000 | Up to $4,000 | Up to $1,000 |
Vulnerability Reward Program, offering up to $250,000 for memory corruption bugs that demonstrate remote code execution (RCE) in a non-sandboxed process. Reports that show controlled writing of arbitrary memory locations can earn up to $90,000, while demonstrated memory corruption issues can receive up to $35,000. Baseline reports continue to be capped at $25,000.
Additionally, Google has revised rewards for memory corruption or RCE vulnerabilities in highly privileged processes, such as GPU or network processes, with potential rewards reaching up to $85,000.
For non-memory corruption vulnerabilities, rewards are based on the quality of the report, the impact, and the potential harm to users. High-quality reports of high-impact vulnerabilities, such as UXSS or site isolation bypass, can earn up to $30,000, while moderate impact reports may receive up to $20,000. Lower impact reports are eligible for rewards up to $10,000. The reward amounts also vary depending on the type of vulnerability, including security UI spoofing, user information disclosure, local privilege escalation, and exploitation mitigation bypass.
In a related update, Google has announced an increase in the MiraclePtr Bypass Reward, raising the amount to $250,128 for a valid submission. This change follows adjustments to Chrome’s security model, where MiraclePtr-protected bugs in non-renderer processes are no longer classified as security vulnerabilities.
Why the Increase in Reward Payments?
Google’s decision to increase reward payments is a strategic move to encourage more security researchers to participate in its VRP. By offering higher rewards, Google aims to attract top talent in the security industry, leading to the discovery of more critical security flaws and ultimately, a more secure Chrome browser.
The Impact on Chrome Security
The increased reward payments are expected to have a significant impact on Chrome’s security. With more security experts participating in the VRP, Google will receive more reports of security vulnerabilities, which will enable the company to fix these issues more quickly and efficiently. This, in turn, will lead to a more secure browsing experience for Chrome users.