"Google Now Offering Up to $250,000 for Chrome Vulnerabilities"

Google recently announced significantly boosted rewards for Chrome browser vulnerabilities reported through its Vulnerability Reward Program (VRP).  With the updated rewards, Google says security researchers may earn as much as $250,000 for a single issue or even more if specific conditions are met.  As before, the highest payouts will go to researchers who demonstrate memory corruption bugs in non-sandboxed processes.  Google noted that for memory corruption flaws, it expects researchers to provide high-quality reports demonstrating remote code execution (RCE) with functional exploits, the controlled write of arbitrary locations in memory, or the triggering of memory corruption.  Google is willing to pay as much as $250,000 for demonstrated RCE in a non-sandboxed process, and it may add an additional reward if the proof-of-concept (PoC) code achieves RCE without a renderer compromise.  Google noted that reports demonstrating controlled write in a non-sandboxed process may earn researchers up to $90,000, while reports demonstrating memory corruption may be awarded rewards of up to $35,000.  Google says it will offer rewards of up to $85,000 for reports demonstrating RCE in a highly privileged process and up to $55,000 for reports demonstrating RCE in a sandboxed process.  The reward amounts for baseline reports of memory corruption have been set at $25,000, $10,000, and $7,000, and Google says these will remain consistent, as the boosted reward amounts in the other categories are expected to incentivize "deeper research into the full consequences of a given issue."

 

SecurityWeek reports: "Google Now Offering Up to $250,000 for Chrome Vulnerabilities"

Submitted by Adam Ekwall on