To mark the 16th anniversary of Google Chrome and the 14th birthday of its associated Vulnerability Reward Program (VRP), Google announced a series of updates to the program designed to attract security and vulnerability researchers to share details of issues they encounter.
In a blog post by information security engineer Amy Ressler, the plan is described as undergoing an evolution “to encourage high-quality reporting and deeper investigations into Chrome vulnerabilities.”
As part of the updates, Google has made available up to $250,000 for remote code execution demonstrated in a sandbox-less process.
Google increases its Chrome VRP rewards
Ressler shared: “If RCE on a non-isolated process can be achieved without compromising the renderer, it is eligible for an even larger reward, including the renderer RCE reward.”
In addition to memory corruption bugs, Google will also consider reports of other vulnerabilities, with rewards ranging from $1,000 to $30,000 on a scale of low, moderate, and high impact.
The company will also treat MiraclePtr as a declarative security boundary, removing MiraclePtr-protected bugs in non-rendering processes from their security bug status. As a result, starting with Chrome 128, a valid submission of a MiraclePtr bypass could return a bounty of up to $250,128 — more than double the $100,115 previously available.
Google confirmed: “Reports that do not demonstrate a security impact or potential for user harm, or are purely theoretical or speculative issue reports, are unlikely to be eligible for a VRP reward.”
Looking ahead, Chrome developers have pledged to explore more experimental bounty opportunities and evolve their program “to better serve the security community.”
Additionally, Google rolled out updates to its other systems earlier this summer, and some RCE reports were able to generate more than $150,000 in bounties. At the time, cybersecurity engineers Sam Erb and Krzysztof Kotowicz explained that Google's systems had become more secure, so developers should be eligible for larger bounties.
