More than 8,500 Google Chrome Bug Reports, Greater Rewards Store

google chrome

Nine years later and more than 8,500 security bug reports, Google has decided to increase the value of its Chrome Vulnerability rewards program for security vulnerabilities.

The maximum premium for the base line has increased to $15,000, with a ceiling of $30,000, twice as much as previously to produce high-quality reports for current security vulnerabilities.

Chrome OS bug bounty rewards the Google Chrome bug bounty program over the years to include full chain exploits for the same-named Chromebook and Chromebox operating system.

-The program’s rewards are to use valid bugs to escape integrated isolated containers, firmware vulnerabilities (processors, built-in controllers, and H1), flaws that may overturn the verified boot mechanism and lead to persistence, and lock screen problems that can be used to circumvent it.

Report typeHigh-quality report with proof of concept/exploitHigh-quality reportBaseline
Sandbox escape and Firmware$30,000$20,000$5,000 – $15,000
Lockscreen bypass$5,000 – $15,000
Chrome OS Persistence$5,000 – $15,000


Google’s standing payment has also increased for researchers, who are able to compromise a Chromebook or Chromebox by persistent guest mode; this means “guests with interim reboots, delivered through a Web page,” with $150,000 now available. Earlier this had been limited to $100,000.

Fuzzer and patch bonuses

The Chrome vulnerability reward program also covers the Chrome fuzzer program, which allows researchers to use their own fuzzers on Google’s hardware and get full retribution for any bugs they uncover. The Chrome vulnerability rewards programme.

Google also lists a bonus which has doubled to $1,000. In addition. Another bonus is to researchers who submit a patch for the vulnerability they have found; the payment can vary from $500 to $2,000 depending on quality and complexity.

As shown in the table below, the payment bumps are displayed across the board.

Report typesHigh-quality report with
functional exploit
High-quality reportBaseline
Sandbox escape / Memory corruption in a non-sandboxed process$30,000$20,000$5,000 – $15,000
Universal Cross Site Scripting$20,000$15,000$2,000 – $10,000
Renderer RCE / memory corruption in a sandboxed process$10,000$7,500$2,000 – $5,000
Security UI Spoofing$7,500[treated as a functional exploit]$500 – $3,000
User information disclosure$5,000 – $20,000[treated as a functional exploit]$500 – $2,000
Web Platform Privilege Escalation$5,000$3,000$500 – $1,000
Exploitation Mitigation Bypass$5,000$3,000$500 – $1,000


Chrome Vulnerability Rewards was developed in 2010 and paid over $5 million in security bugs to researchers.


Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.