Nine years later and more than 8,500 security bug reports, Google has decided to increase the value of its Chrome Vulnerability rewards program for security vulnerabilities.
The maximum premium for the base line has increased to $15,000, with a ceiling of $30,000, twice as much as previously to produce high-quality reports for current security vulnerabilities.
Chrome OS bug bounty rewards the Google Chrome bug bounty program over the years to include full chain exploits for the same-named Chromebook and Chromebox operating system.
-The program’s rewards are to use valid bugs to escape integrated isolated containers, firmware vulnerabilities (processors, built-in controllers, and H1), flaws that may overturn the verified boot mechanism and lead to persistence, and lock screen problems that can be used to circumvent it.
|Report type||High-quality report with proof of concept/exploit||High-quality report||Baseline|
|Sandbox escape and Firmware||$30,000||$20,000||$5,000 – $15,000|
|Lockscreen bypass||$5,000 – $15,000|
|Chrome OS Persistence||$5,000 – $15,000|
Google’s standing payment has also increased for researchers, who are able to compromise a Chromebook or Chromebox by persistent guest mode; this means “guests with interim reboots, delivered through a Web page,” with $150,000 now available. Earlier this had been limited to $100,000.
Fuzzer and patch bonuses
The Chrome vulnerability reward program also covers the Chrome fuzzer program, which allows researchers to use their own fuzzers on Google’s hardware and get full retribution for any bugs they uncover. The Chrome vulnerability rewards programme.
Google also lists a bonus which has doubled to $1,000. In addition. Another bonus is to researchers who submit a patch for the vulnerability they have found; the payment can vary from $500 to $2,000 depending on quality and complexity.
As shown in the table below, the payment bumps are displayed across the board.
|Report types||High-quality report with
|Sandbox escape / Memory corruption in a non-sandboxed process||$30,000||$20,000||$5,000 – $15,000|
|Universal Cross Site Scripting||$20,000||$15,000||$2,000 – $10,000|
|Renderer RCE / memory corruption in a sandboxed process||$10,000||$7,500||$2,000 – $5,000|
|Security UI Spoofing||$7,500||[treated as a functional exploit]||$500 – $3,000|
|User information disclosure||$5,000 – $20,000||[treated as a functional exploit]||$500 – $2,000|
|Web Platform Privilege Escalation||$5,000||$3,000||$500 – $1,000|
|Exploitation Mitigation Bypass||$5,000||$3,000||$500 – $1,000|
Chrome Vulnerability Rewards was developed in 2010 and paid over $5 million in security bugs to researchers.