To celebrate the 16th anniversary of Google Chrome and the 14th anniversary of its Vulnerability Reward Program (VRP), Google has announced a series of updates to the program. These updates are intended to attract security and vulnerability researchers and share details about issues as they arise.
In a blog post According to information security engineer Amy Ressler, the plan is evolving “to encourage higher-quality reporting and deeper investigations into Chrome vulnerabilities.”
As part of the updates, Google has made available up to $250,000 for demonstrated remote code execution in a non-sandboxed process.
Google increases its Chrome VRP rewards
Ressler shared, “If the RCE can be achieved in a non-sandbox process without a renderer compromise, it will be eligible for an even higher reward, including the renderer RCE reward.”
In addition to bugs that cause memory corruption, Google will also consider reports of other vulnerabilities. The rewards for these range from $1,000 to $30,000, based on a scale of low, medium, and high impact.
The company will also consider MiraclePtr a declarative security boundary, which will strip MiraclePtr-protected bugs in non-renderer processes of their security bug status. As a result, starting with Chrome 128, a valid MiraclePtr bypass submission could yield a reward of up to $250,128, more than double the $100,115 previously available.
Google confirmed: “Reports that do not demonstrate a security impact or potential harm to users, or that are purely reports of theoretical or speculative issues, are unlikely to be eligible for a VRP reward.”
Looking ahead, Chrome developers have committed to exploring more experimental rewards opportunities and evolving the program “to better serve the security community.”
Additionally, Google rolled out updates to its other schemes earlier this summer, with some RCE reports claiming rewards of over $150,000. At the time, information security engineers Sam Erb and Krzysztof Kotowicz explained that Google’s systems had become more secure, which should make developers eligible for higher rewards.