Google has significantly increased the rewards for Chrome browser vulnerabilities, offering up to $250,000 for remote code execution bugs.
Google today announced significantly boosted rewards for Chrome browser vulnerabilities reported through its Vulnerability Reward Program (VRP).
With the updated rewards, security researchers may earn as much as $250,000 for a single issue, or even more if specific conditions are met. Just as before, the highest payouts will go to researchers who demonstrate memory corruption bugs in non-sandboxed processes.
For memory corruption flaws, Google expects researchers to provide high-quality reports demonstrating remote code execution (RCE) with functional exploits, the controlled write of arbitrary locations in memory, or the triggering of memory corruption.
Google is willing to pay out as much as $250,000 for demonstrated RCE in a non-sandboxed process, and may add an additional reward if the proof-of-concept (PoC) code achieves RCE without a renderer compromise.
Reports demonstrating controlled write in a non-sandboxed process may earn researchers up to $90,000, while reports demonstrating memory corruption may be awarded rewards of up to $35,000.
The internet giant says it will offer rewards of up to $85,000 for reports demonstrating RCE in a highly-privileged process and up to $55,000 for reports demonstrating RCE in a sandboxed process.
The reward amounts for baseline reports of memory corruption have been set at $25,000, $10,000, and $7,000, and Google says these will remain consistent, as the boosted reward amounts in the other categories are expected to incentivize “deeper research into the full consequences of a given issue”.
The same as for memory corruption bugs, the internet giant will be offering rewards for other classes of vulnerabilities based on report quality, impact, and the potential harm for Chrome users.
Google will pay out up to $30,000 for high-quality reports describing client-side flaws in the browser leading to cross-site scripting (XSS) conditions, or site isolation bypasses.
The reward for any vulnerability that bypasses MiraclePtr, the technology that reduces the exploitability of use-after-free issues in Chrome, has been increased to $250,128, compared to $100,115 before.
Bonus rewards will also be handed out for reports that include the applicable characteristics, the internet giant says.
Source: Security Week