Google has updated its Vulnerability Reward Program (VRP) for Chrome, increasing rewards for finding security vulnerabilities and offering users a chance to win up to $250,000 (approximately Rs 1,95,00,000). The company with the upgraded bounty program for Chrome aims to encourage deeper research and higher-quality bug reports from security researchers.
New Bug bounty reward structure for Chrome
The new VRP reward structure separates memory corruption issues from other classes of vulnerabilities to provide clearer expectations and incentivise impactful research. The company has now categorised the rewards for memory corruption bugs into four levels: High-quality reports with demonstration of remote code execution (RCE), High-quality reports demonstrating controlled write, High-quality reports of demonstrated memory corruption and baseline reports.
Reward details
The highest reward is set at $250,000 for memory corruption bugs which is offered for demonstrated RCE in a non-sandboxed process. Reports showing controlled write of arbitrary memory locations can earn up to $90,000, while demonstrated memory corruption issues can earn up to $35,000.
Baseline reports are still capped at $25,000. Google has also adjusted rewards for memory corruption or RCE in highly privileged processes, such as GPU or network processes, with potential rewards of up to $85,000.
For non-memory corruption vulnerabilities, Google has outlined rewards based on report quality, impact, and potential harm to users. The reward for finding high-quality reports of high-impact vulnerabilities, such as UXSS or site isolation bypass is $30,000, while moderate impact reports can receive up to $20,000.
Lower impact reports are eligible for rewards up to $10,000. The reward amounts vary for different types of vulnerabilities, including security UI spoofing, user information disclosure, local privilege escalation, and exploitation mitigation bypass.
MiraclePtr bypass reward update In addition to these, Google has also announced an update to the MiraclePtr Bypass Reward, the company has increased the amount to $250,128 for a valid submission. This follows changes to Chrome's security model, where MiraclePtr-protected bugs in non-renderer processes are no longer considered security vulnerabilities.
Reward summary
| Vulnerability Type | High-Quality Report (High Impact) | High-Quality Report (Moderate Impact) | Baseline/Lower Impact |
| UXSS / Site Isolation Bypass | Up to $30,000 | Up to $20,000 | Up to $10,000 |
| Security UI Spoofing | Up to $10,000 | Up to $5,000 | Up to $3,000 |
| User Information Disclosure | Up to $25,000 | Up to $10,000 | Up to $2,000 |
| Local Privilege Escalation | Up to $15,000 | Up to $5,000 | Up to $2,000 |
| Web Platform Privilege Escalation | Up to $7,000 | Up to $4,000 | Up to $1,000 |
| Exploitation Mitigation Bypass | Up to $5,000 | Up to $4,000 | Up to $1,000 |
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
