Google Increases Maximum Bounty For Chrome Bugs
Written by Alex Armstrong   
Thursday, 02 October 2014

Google has upped the top payout for its Chrome Reward program to $15,000 and is applying the increased rates to submissions made since July 2014.

From now on researchers will also get fame as well as fortune with their names appearing in the Google Hall of Fame.

Announcing the increase, Tim Willis of the Chrome Security team gives the information that Google has so far paid out $1.25 million through its Chrome Reward Program and points out that as Chrome has become more secure it has got harder to find bugs in it. He writes:

This is a good problem to have! In recognition of the extra effort it takes to uncover vulnerabilities in Chrome, we’re increasing our reward levels.

In an effort to be transparent, the new reward amounts are outlined in this table, together with its explanatory notes:

 High-quality report with
functional exploit [1]
High-quality report [2]Baseline [3]Low-quality report [4]
Sandbox Escape [5] $15,000 $10,000 $2,000 - $5,000 $500
Renderer Remote Code Execution $7,500 $5,000 $1,000 - $3,000 $500
Universal XSS (local bypass or equivalent) $7,500 $5,000 N/A N/A
Information Leak $4,000 $2,000 $0 - $1000 $0

[1] A high-quality report with a reliable exploit that demonstrates that the bug reported can be easily, actively and reliably used against our users.
[2] A report that includes a minimized test case and the versions of Chrome affected by the bug. You will also demonstrate that exploitation of this vulnerability is very likely (e.g. good control of EIP or another CPU register). Your report should be brief and well written with only necessary detail and commentary.
[3] A minimized test case or output from a fuzzer that highlights a security bug is present.
[4] A report submitted with only a crash dump, without a Proof of Concept (PoC) or with a poor quality PoC (e.g. a 1MB fuzz file dump with no attempt at reduction) that is later verified to be a legitimate issue.
[5] Escaping any layer of the sandbox (including the NaCl sandbox) will be considered as a sandbox escape.

Willis states in the blog post:

we’ll pay at the higher end of the range when researchers can provide an exploit to demonstrate a specific attack path against our users. Researchers now have an option to submit the vulnerability first and follow up with an exploit later. We believe that this a win-win situation for security and researchers: we get to patch bugs earlier and our contributors get to lay claim to the bugs sooner, lowering the chances of submitting a duplicate report.

Researchers may receive even more than specified in the table for "particularly great reports".

The FAQ's on the Chrome Reward Program Rules page also gives information about a new Trusted Researcher program. This is an invitation-only program that offers skilled fuzzer developers to run their fuzzers at Google scale. Researchers receive 100% of the reward value for any bugs found by their fuzzers, providing that the same bug was not found by one of Google's fuzzers within 48 hours. The FAQ states:

The easiest way to get an invite into this program is to submit quality bugs that are found with one of your fuzzers. If we like what we see, we’ll reach out with the details!




Deno Adds Support For Private npm Registries

Deno 1.44 has been released with support for private npm registries and for gRPC connections.

GitHub Announces 2024 Accelerator Cohort Winners

GitHub has announced the companies chosen to form the next cohort for GitHub Accelerator. Find out about this year's participating projects, all of which focus on AI.

More News


C book



or email your comment to:


Last Updated ( Thursday, 02 October 2014 )