Google triples reward for Chrome full chain exploits
Google has tripled the full reward amount for the first security bug report that includes a functional full chain exploit of its popular Chrome browser.
Six months of higher rewards for a Chrome full chain exploit
The Chrome Vulnerability Rewards Program, which started on June 1, is set to run until December 1, 2023. During this period, bug hunters who report security bugs that can be chained together to fully exploit Chrome can get up to $180,000.
To further encourage researchers, Google has implemented an additional reward structure. When submitting subsequent full chain exploits, bug hunters will get the opportunity to earn up to $120,000.
“We’re always interested in explorations of new and novel approaches to fully exploit Chrome browser and we want to provide opportunities to better incentivize this type of research,” said Amy Ressler from the Chrome Security Team.
“These exploits provide us valuable insight into the potential attack vectors for exploiting Chrome, and allow us to identify strategies for better hardening specific Chrome features and ideas for future broad-scale mitigation strategies.”
How to qualify for these rewards?
To qualify for these rewards, the submitted exploits must meet specific criteria outlined by Google.
“The full chain exploit must result in a Chrome browser sandbox escape, with a demonstration of attacker control / code execution outside of the sandbox,” said Ressler.
The exploit submitted must be able to be performed remotely and no or very limited reliance on user interaction, and should “have been functional in an active release channel of Chrome (Dev, Beta, Stable, Extended Stable) at the time of the initial reports of the bugs in that chain.”
Exploits developed from publicly disclosed security vulnerabilities and/or found in outdated versions of Chrome are not eligible.