Google ups bug bounties for ‘high quality’ Chrome hunters

Google has announced new compensation incentives for people who find vulnerabilities in the Chrome browser as part of the company’s Chrome Vulnerability Reward Program (VRP).

The increases to its Chrome bug reward structure follow increases Google made last month for “exceptional quality” reports of flaws in a range of Alphabet offerings, including Gmail and Nest. The changes ensure Google and Alphabet continue to rank among the top bug bounty programs again this year.

This week’s Chrome VRP announcement includes an overhaul of the company’s reward structure for memory corruption vulnerabilities, with compensation up to US$250,000 for demonstration of remote code execution (RCE) in a non-sandboxed process. Reporters who do so are eligible for an additional US$55,000 if they also demonstrate renderer RCE as well.

Other levels of compensation, without RCE, include demonstrating a controlled write or a memory corruption.

The baseline for bugs that do not demonstrate such “higher-quality reports” range from US$7,000 to US$25,000.

Last year, the total payouts in Google’s bug hunter program were US$10 million dollars, distributed among 632 people from 68 countries. Just over a third of the sum ($US3.4 million) concerned Android vulnerabilities. The second largest expenditure (US$2.1 million) concerned Chrome bugs.

News of the increased bug bounties for Chrome came a day after Google announced that a critical Chrome bug was exploited in the wild after a patch was released. The vulnerability (CVE-2024-7965) involves the V8 JavaScript and WebAssembly engine and carries a CVSS rating of 8.8 out of 10. Discovery of CVE-2024-7965 was credited to TheDog as part of Google’s bug bounty program. TheDog received US$11,000 for the report.

Google has faced at least nine zero-days in Chrome this year, with four Chrome zero-days patched in May alone.

The VRP program also spelled out reward categories for non-memory corruption bugs based on report quality. These include “high quality and high impact” flaws, “high quality and moderate impact” vulnerabilities, and baseline, lower-impact issues. The bugs are also tiered to include universal cross-site scripting (UXSS), security UI spoofing, user information disclosure, local privilege escalation, web platform privilege escalation, and exploitation mitigation bypass. Payouts decrease in order of this tiering.

The Chrome VRP team also provides examples of low-, moderate-, and high-impact bugs.

In total, Google has paid out US$59 million since its bug hunter programs were launched in 2010. In 2022, a record year, US$12 million was paid out.