Rock Chrome hard enough and get paid half a million

Google's Chrome Vulnerability Rewards Program (VRP) is now significantly more rewarding – with a top payout that's at least twice as substantial.

Citing the challenge of finding consequential, exploitable bugs in its Chrome browser after 16 years in release, Amy Ressler, information security engineer at the Chocolate Factory, explained it was time to rethink Chrome VRP rewards to incentivize higher quality bug reporting and deeper research into Chrome vulnerabilities.

Google's approach, according to Ressler, reflects a move away from a list of specific rewards that has separated memory corruption issues from other classes of vulnerabilities. For the past few years, memory safety has become an industry and government priority because the majority of meaningful bugs in large C++ codebases like Chrome are down to flaws like use-after-free and buffer overflows.

Google's new reward structure for memory corruption bugs focuses on four vulnerability categories: high-quality report with demonstration of remote code execution (RCE); high-quality report demonstrating controlled write to an arbitrary memory location; high-quality report of memory corruption; and a baseline report consisting of a stack trace and proof-of-concept exploit code.

"While the reward amounts for baseline reports of memory corruption will remain consistent, we have increased reward amounts in the other categories with the goal of incentivizing deeper research into the full consequences of a given issue," said Ressler. "The highest potential reward amount for a single issue is now $250,000 for demonstrated RCE in a non-sandboxed process."

And obtaining RCE in a non-sandboxed process without a renderer compromise qualifies for a higher amount, to capture the renderer RCE reward.

• Google revamps bug bounty program
• Google, Apple squash exploitable browser bugs
• Google looks at bypass in Chromium's ASLR security defense, throws hands up, won't patch garbage issue
• Google offers 'INFINITY MILLION DOLLARS' for bugs in Chrome

Other classes of vulnerabilities, for a high-quality report on a high-impact bug, top out at $30,000 for a UXSS/site isolation bypass.

Then there's the award for bypassing MiraclePtr – a mechanism to protect against use-after-free memory corruption. Basically, it implements a reference counter that blocks the reuse of freed/released memory when positive and frees it upon reaching zero.

The launch of MiraclePtr in Chrome's active release channels last year meant that bugs mitigated by MiraclePtr in non-renderer processes were considered to be substantially mitigated. But being able to bypass MiraclePtr protection was deemed worthy of a special reward in the amount of $100,115.

With the arrival of Chrome 128, Ressler says that MiraclePtr-protected bugs in non-renderer processes aren't even worth considering as security bugs. So now Google considers MiraclePtr a declarative security boundary and is thus eligible for a reward that reflects the seriousness of crossing that line: $250,128.

So per Google's documentation, a new use-after-free memory corruption bug that demonstrates a MiraclePtr bypass with a high-impact, functional exploit and a high-quality writeup could net $500,128.

Get hunting. ®