Chrome security pays big: Google increases bug bounty to $250,000

The payouts can reach up to $250,000 for the most serious cybersecurity vulnerabilities detected

Google increases payouts for bug bounty program

Google has recently announced a major update to its Chrome Vulnerability Reward Program. As a part of ongoing efforts to harden the security of the Chrome browser, Google increased the maximum reward for finding critical security flaws to an impressive $250,000 – encouraging researchers to look in this direction and report high-impact vulnerabilities:[1]

While the reward amounts for baseline reports of memory corruption will remain consistent, we have increased reward amounts in the other categories with the goal of incentivizing deeper research into the full consequences of a given issue. The highest potential reward amount for a single issue is now $250,000 for demonstrated RCE in a non-sandboxed process.

Effective August 28, 2024, this new reward structure aims to entice top security talent with higher payouts for detailed reports that paint the full picture of a bug's impact. This raises the cap from the earlier set limit of $115,000 and underscores Google's commitment to staying ahead in the cybersecurity landscape.

The top prize will be awarded for research that uncovers and reports memory corruption bugs in non-sandboxed processes, some of the most severe vulnerabilities, as they might allow attackers to execute hostile code on a user's system.

Incentivizing deep security research

The higher rewards from Google are not just about the numbers; they are really incentives for security researchers to give an in-depth scrutiny of the implications of the vulnerabilities they identify. The most interesting reports for Google would be those not only indicating a flaw but also including a profound analysis of its possible impact and how it could be further exploited by attackers.

For instance, the maximum prize is awarded when one demonstrates RCE in a non-sandboxed process, up to $250,000. The prize can go higher if this RCE can be done without having to compromise Chrome's renderer process, depending on the complexity and impact of the exploit.

These large rewards show Google's goal of promoting a collaboratory approach to security that encourages researchers to explore vulnerabilities to their full potential. These important insights allow Google security teams to provide strong patches, mitigating the risk out there.

Broad reward category expansion beyond memory corruption

While memory corruption bugs are one major focus, Google's updated VRP rewards are also extending to other categories of vulnerabilities. For example, high-quality reports on client-side vulnerabilities (such as cross-site scripting attacks or site isolation bypasses) now earn researchers up to $30,000.[2]

Apart from these, Google also reemphasized the importance of its MiraclePtr technology, which stands as the primary defense to the exploitation of use-after-free. The success reward for the bypass of MiraclePtr has been set at $250,128 – the step that shows it featuring in the security structure of Chrome.[3]

These reward increases are part of a more general strategy by Google to have all potential security threats taken up with as much fervor as only the most critical ones. By categorizing vulnerabilities according to their impact and offering tailored rewards, Google is capable of covering a very wide area of potential problems.

Bug bounties can save Google from devastating cybersecurity flaws

Trend on Cybersecurity Google's motivation to boost bug bounty incentives reflects a more widespread trend in the cybersecurity space. Every day, as threats become more sophisticated, companies lean on bug bounty programs to identify and fix vulnerabilities before they are exploited by malicious actors.

High-dollar payouts drive competitive, talented security researchers to invest and pour themselves into uncovering critical flaws. This proactive approach helps companies like Google to continue staying ahead in the evolving threat landscape, maintaining the safety of their users and trust in their products.

Since launching our VRP in 2010,[4] Google has paid out over $50,000,000 in reward payments to researchers reporting over 15,000 vulnerabilities. The recent reward increase to $250,000 is an indication of the company's determination to continue this collaborative approach to cyber security and the importance of independent research in keeping its products secure.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions

References
Files
Software
Compare