Google has announced an initiative to triple the rewards for bug bounty hunters who report sandbox escape chain exploits targeting its Chrome web browser until December 1st, 2023.
The aim is to incentivize security researchers to identify vulnerabilities that could compromise Chrome’s security mechanisms, ultimately enhancing the software’s resilience against attacks. The increased rewards apply to the first functional full-chain exploit and subsequent submissions will receive a significant bonus that doubles the regular reward.
To be eligible for the rewards, the full chain exploit must result in a Chrome browser sandbox escape, demonstrating attacker control or code execution outside of the sandbox.
The exploit must be fully remote and usable by a remote attacker. It should work against Extended Stable, Stable, or Beta releases of Chrome at the time of the initial bug report. Rewards for full chain exploits can reach up to $180,000, and other exploits received within the six-month submission window can earn up to $120,000.
Google’s Chrome Security Team Senior Technical Program Manager, Amy Ressler, emphasized the value of these exploits in providing insights into potential attack vectors and aiding the development of strategies to strengthen Chrome’s security features. This announcement follows the recent launch of the Mobile Vulnerability Rewards Program in May, which offers rewards for security flaws found in Google’s Android applications.
Over the past decade, Google has disbursed more than $50 million in bounties to researchers who have reported over 15,000 vulnerabilities through its Vulnerability Reward Program (VRP).
Last year, Google paid $12 million in rewards, including a record-breaking $605,000 to a researcher for a series of five security bugs in an Android exploit chain. These ongoing initiatives demonstrate Google’s commitment to fostering a secure and resilient software ecosystem by incentivizing the research community to discover and report vulnerabilities.
