Security researchers can now earn a quarter million dollars reporting high-impact memory corruption vulnerabilities in Chrome. Credit: Shutterstock / 2lttgamingroom Google has announced new compensation incentives for people who find vulnerabilities in the Chrome browser as part of the company’s Chrome Vulnerability Reward Program (VRP). The increases to its Chrome bug reward structure follow increases Google made last month for “exceptional quality” reports of flaws in a range of Alphabet offerings, including Gmail and Nest. The changes ensure Google and Alphabet continue to rank among the top bug bounty programs again this year. This week’s Chrome VRP announcement includes an overhaul of the company’s reward structure for memory corruption vulnerabilities, with compensation up to US$250,000 for demonstration of remote code execution (RCE) in a non-sandboxed process. Reporters who do so are eligible for an additional US$55,000 if they also demonstrate renderer RCE as well. Other levels of compensation, without RCE, include demonstrating a controlled write or a memory corruption. The baseline for bugs that do not demonstrate such “higher-quality reports” range from US$7,000 to US$25,000. Last year, the total payouts in Google’s bug hunter program were US$10 million dollars, distributed among 632 people from 68 countries. Just over a third of the sum ($US3.4 million) concerned Android vulnerabilities. The second largest expenditure (US$2.1 million) concerned Chrome bugs. News of the increased bug bounties for Chrome came a day after Google announced that a critical Chrome bug was exploited in the wild after a patch was released. The vulnerability (CVE-2024-7965) involves the V8 JavaScript and WebAssembly engine and carries a CVSS rating of 8.8 out of 10. Discovery of CVE-2024-7965 was credited to TheDog as part of Google’s bug bounty program. TheDog received US$11,000 for the report. Google has faced at least nine zero-days in Chrome this year, with four Chrome zero-days patched in May alone. The VRP program also spelled out reward categories for non-memory corruption bugs based on report quality. These include “high quality and high impact” flaws, “high quality and moderate impact” vulnerabilities, and baseline, lower-impact issues. The bugs are also tiered to include universal cross-site scripting (UXSS), security UI spoofing, user information disclosure, local privilege escalation, web platform privilege escalation, and exploitation mitigation bypass. Payouts decrease in order of this tiering. The Chrome VRP team also provides examples of low-, moderate-, and high-impact bugs. In total, Google has paid out US$59 million since its bug hunter programs were launched in 2010. In 2022, a record year, US$12 million was paid out. Related content news Critical plugin flaw opens over a million WordPress sites to RCE attacks The multilingual plugin is hit with a critical bug that can allow complete site compromise through remote code execution. By Shweta Sharma 28 Aug 2024 3 mins Vulnerabilities feature Is the vulnerability disclosure process glitched? How CISOs are being left in the dark Better communication and collaboration between researchers and vendors and improved bug reporting mechanisms could help address confusing and sometimes wholly suppressed bug reports. By Cynthia Brumfield 26 Aug 2024 10 mins CSO and CISO Threat and Vulnerability Management Data and Information Security news WordPress users not on Windows urged to update due to critical LiteSpeed Cache flaw Updating to version 6.4 or higher will prevent exploitation of the vulnerability that allows attacker to gain admin access. By Lynn Greiner 23 Aug 2024 3 mins Threat and Vulnerability Management Identity and Access Management Vulnerabilities PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe