August 29, 2024 at 12:35PM
Google’s Chrome Vulnerability Rewards Program has increased rewards, specifically addressing memory safety with up to $250,000 for demonstrated remote code execution. Other classes of vulnerabilities have rewards up to $30,000 and special rewards of $100,115 and $250,128 for bypassing security measures. A new bug could potentially earn $500,128.
Based on the meeting notes, the main takeaways are:
1. Google has made significant updates to its Chrome Vulnerability Rewards Program (VRP), with a focus on incentivizing higher quality bug reporting and deeper research into Chrome vulnerabilities.
2. The new reward structure for memory corruption bugs focuses on four vulnerability categories, with the highest potential reward amount for a single issue being $250,000 for demonstrated remote code execution in a non-sandboxed process.
3. A special reward of $100,115 is available for bypassing MiraclePtr, and a new use-after-free memory corruption bug that demonstrates a MiraclePtr bypass with a high-impact, functional exploit and a high-quality write-up could potentially net $500,128.
4. With the launch of Chrome 128, MiraclePtr-protected bugs in non-renderer processes are no longer considered security bugs, and bypassing MiraclePtr is eligible for a reward of $250,128.
Overall, the meeting outlined Google’s efforts to increase rewards for specific vulnerability categories and to emphasize the seriousness of certain types of Chrome vulnerabilities, aiming to encourage researchers to engage in more comprehensive investigations.