Google triples rewards for Chrome sandbox escape chain exploits – Source: www.bleepingcomputer.com

Google announced today that bug bounty hunters who report sandbox escape chain exploits targeting its Chrome web browser are now eligible for triple the standard reward until December 1st, 2023.

The company’s initiative aims to encourage security researchers to identify and report vulnerabilities that could help threat actors compromise the Chrome browser’s security mechanisms, ultimately helping enhance the overall resilience of the software against attacks.

The Chrome Vulnerability Reward Program bonus is effective starting today, June 1st, and only applies to the first functional full-chain exploit.

“The full chain exploit must result in a Chrome browser sandbox escape, with a demonstration of attacker control / code execution outside of the sandbox. The exploit scenario must be fully remote and the exploit able to be used by a remote attacker,” Google explains.

“Eligible full chain exploits must work against Extended Stable, Stable, or Beta releases of Chrome at the time of the initial bug reports. If the exploit is provided after the bug is resolved, it is only required to work against production versions of Chrome shipping at the time of the original report.”

Subsequent full-chain exploits submitted through the Chrome VRP will also get a significant bonus that will double the regular reward.

By submitting a full chain exploit, participants could get a reward reaching as high as $180,000, potentially further augmented by other bonuses, and up to $120,000 for other exploits received throughout the rest of the six-month submission window.

“These exploits provide us valuable insight into the potential attack vectors for exploiting Chrome, and allow us to identify strategies for better hardening specific Chrome features and ideas for future broad-scale mitigation strategies,” said Amy Ressler, a Chrome Security Team Senior Technical Program Manager.

Recent Google VRP developments

Today’s announcement follows the launch of the new Mobile Vulnerability Rewards Program (Mobile VRP) in May, which comes with rewards for security flaws found in Google’s Android applications.

In August, the company also announced that it would pay for bugs reported in the latest released versions of Google open-source software, including projects like Bazel, Angular, Golang, Protocol buffers, and Fuchsia.

Over a decade, Google has disbursed more than $50 million in bounties to researchers who reported over 15,000 vulnerabilities through its Vulnerability Reward Program (VRP) since its inception in 2010.

Last year alone, Google paid $12 million, with a record-breaking $605,000 reward to gzobqq (the highest amount ever rewarded in the history of Android VRP) for a series of five security bugs part of an Android exploit chain. 

The same researcher reported another critical Android exploit chain the previous year, earning another impressive $157,000 payout.