Published on July 19th, 2019 📆 | 5159 Views ⚑
0Over 8,500 Google Chrome Bug Reports, Larger Rewards in Store
Nine years and more than 8,500 security bug reports later, Google decided to increase the value of the rewards for security vulnerabilities submitted through its Chrome Vulnerability Rewards Program.
The amount for the baseline maximum reward has tripled to $15,000 and the ceiling for delivering high-quality reports for valid security vulnerabilities is now $30,000, double of what it used to be.
Chrome OS bug bounty rewards
Google's bug bounty program for Chrome has expanded over the years to include full chain exploits for the eponymous operating system that runs on Chromebook and Chromebox systems.
-he rewards offered through the program are for valid bugs that can escape the built-in isolated containers, vulnerabilities affecting the firmware (processor, embedded controller, and H1), flaws that can defeat the verified boot mechanism and lead to persistence, and issues in the lock screen that can be exploited to circumvent it.
Report type | High-quality report with proof of concept/exploit | High-quality report | Baseline |
---|---|---|---|
Sandbox escape and Firmware | $30,000 | $20,000 | $5,000 - $15,000 |
Lockscreen bypass | $5,000 - $15,000 | ||
Chrome OS Persistence | $5,000 - $15,000 |
Google has also increased its standing payment for researchers that can compromise a Chromebook or Chromebox and achieve persistence in guest mode; this means "guest to guest persistence with interim reboot, delivered via a web page." The money for this is now $150,000. Previously, this was capped to $100,000.
Fuzzer and patch bonuses
The Chrome Vulnerability Rewards Program also covers the Chrome Fuzzer Program, which permits researchers to use their own fuzzers on Google's hardware and get a full reward for any bugs they uncover.
On top of this, Google throws in a bonus that has now doubled to $1,000. Another bonus is for researchers that submit a patch for the vulnerability they found; depending on the quality and complexity, the payment can be between $500 and $2,000.
The payment bumps are visible across the board, as shown in the table below:
Report types | High-quality report with functional exploit |
High-quality report | Baseline |
---|---|---|---|
Sandbox escape / Memory corruption in a non-sandboxed process | $30,000 | $20,000 | $5,000 - $15,000 |
Universal Cross Site Scripting | $20,000 | $15,000 | $2,000 - $10,000 |
Renderer RCE / memory corruption in a sandboxed process | $10,000 | $7,500 | $2,000 - $5,000 |
Security UI Spoofing | $7,500 | [treated as a functional exploit] | $500 - $3,000 |
User information disclosure | $5,000 - $20,000 | [treated as a functional exploit] | $500 - $2,000 |
Web Platform Privilege Escalation | $5,000 | $3,000 | $500 - $1,000 |
Exploitation Mitigation Bypass | $5,000 | $3,000 | $500 - $1,000 |
Chrome Vulnerability Rewards Program was created in 2010 and has paid more than $5 million to researchers submitting security bugs.
Gloss