Source URL: https://www.theregister.com/2024/08/29/google_chrome_vuln_rewards/
Source: The Register
Title: Rock Chrome hard enough and get paid half a million
Feedly Summary: Google revises Chrome Vulnerability Rewards Program with higher payouts for bug hunters
Google’s Chrome Vulnerability Rewards Program (VRP) is now significantly more rewarding – with a top payout that’s at least twice as substantial.…
AI Summary and Description: Yes
Summary: Google’s Chrome Vulnerability Rewards Program (VRP) has been revamped to enhance incentives for reporting security vulnerabilities in the Chrome browser. With a focus on memory safety, new reward tiers aim to encourage researchers to report more significant bugs, particularly in memory corruption categories, reflecting an industry-wide shift towards stronger security measures.
Detailed Description:
Google is amplifying its efforts to strengthen the security posture of its Chrome browser through a revised Vulnerability Rewards Program (VRP) that offers significantly higher payouts for discovering critical vulnerabilities. This move addresses the need for a deeper understanding of memory corruption issues that pose considerable risks within large codebases like Chrome.
Key points include:
* **Increased Payouts**: The VRP now offers a maximum reward of $250,000 for demonstrated remote code execution (RCE) without a sandbox, doubling previous potential rewards.
* **Focus on Memory Safety**: Emphasizing the urgency of finding and reporting bugs that compromise memory integrity, Google has defined four main categories for which higher rewards are available:
– High-quality reports demonstrating RCE.
– High-quality reports showing controlled writes to arbitrary memory locations.
– Reports of memory corruption issues.
– Baseline reports providing a stack trace and proof-of-concept exploit code.
* **Special Rewards for MiraclePtr**: The introduction of MiraclePtr offers further distinction in reward structure. MiraclePtr is a mechanism aimed at preventing use-after-free vulnerabilities. Successfully bypassing this protection can earn a reward of $100,115, while severe violations could net up to $500,128.
* **Elimination of Lower Tiers**: As Chrome moves to a more rigorous reward system, certain previous categories are being consolidated to focus on high-impact vulnerabilities that are increasingly relevant to modern security threats.
* **Research Incentive**: The goal behind these changes is to inspire deeper research into vulnerabilities and their consequences, potentially leading to a more secure web environment.
This revamped program is a response to the growing trend of prioritizing security measures, particularly against the backdrop of exponential increases in cyber threats aimed at browser security. Security professionals and ethical hackers may view this as a significant opportunity to contribute to the safeguarding of web technologies while also being financially rewarded for their expertise.