Google has greater than doubled payouts for Google Chrome safety flaws reported by its Vulnerability Reward Program, with the utmost doable reward for a single bug now exceeding $250,000.
Beginning at this time, the search big will differentiate reminiscence corruption vulnerabilities relying on the standard of the report and the researcher’s drive to search out the complete affect of the reported points.
The rewards will considerably improve from baseline stories demonstrating Chrome reminiscence corruption with stack traces and a proof-of-concept (with rewards of as much as $25,000) to a high-quality report with distant code execution demonstration by a purposeful exploit.
“It is time to evolve Chrome VRP rewards and amounts to provide an improved structure and clearer expectations for security researchers reporting bugs to us and to incentivize high-quality reporting and deeper research of Chrome vulnerabilities, exploring them to their full impact and exploitability potential,” mentioned Chrome Safety engineer Amy Ressler.
“The highest potential reward amount for a single issue is now $250,000 for demonstrated RCE in a non-sandboxed process. If the RCE in a non-sandboxed process can be achieved without a renderer compromise, it is eligible for an even higher amount, to include the renderer RCE reward.”
The corporate has additionally greater than doubled reward quantities for MiraclePtr bypasses to $250,128 from $100,115 when the MiraclePtr Bypass Reward was launched.
Google additionally categorizes and can reward stories for different courses of vulnerabilities relying on their high quality, affect, and potential hurt to Chrome customers as:
- Decrease affect: low potential for exploitability, important preconditions to take advantage of, low attacker management, low danger/potential for consumer hurt
- Average affect: average preconditions to take advantage of, honest diploma of attacker management
- Excessive affect: straight-forward path to exploitability, demonstrable and important consumer hurt, distant exploitability, low preconditions to take advantage of
“All reports are still eligible for bonus rewards when they include the applicable characteristics. We will continue exploring more experimental reward opportunities, similar to the previous Full Chain Exploit Reward, and evolving our program in ways to better serve the security community,” Ressler added.
“Reports that don’t demonstrate security impact or the potential for user harm, or are purely reports of theoretical or speculative issues are unlikely to be eligible for a VRP reward.”
Earlier this month, Google additionally introduced that its Play Safety Reward Program (GPSRP) will shut for submissions of latest stories on the finish of this month, on August 31, due to a “lower within the variety of actionable vulnerabilities reported.”
In July, it additionally launched kvmCTF, a brand new VRP first unveiled in October 2023 to enhance the safety of the Kernel-based Digital Machine (KVM) hypervisor, providing $250,000 bounties for full VM escape exploits.
Because it launched its Vulnerability Reward Program (VRP) in 2010, Google has paid over $50 million in bug bounty rewards to safety researchers who reported greater than 15,000 vulnerabilities.
