Google launched the Chrome Vulnerability Rewards Program (VRP) back in 2010, encouraging researchers to find exploits in Chrome and Chrome OS in return for monetary rewards. These bugs would then be fixed by the company to make its software more secure. Over the years, the program has grown substantially and now offers rewards of up to $150,000.
Now, Google has announced that it is expanding the rewards program even further and will offer almost double the bonus amount for high quality reports that demonstrate exploits in its V8 JavaScript engine.
Previously, Google would offer bonus rewards only for reports that demonstrate a fully functional exploit in V8. Now, the firm will also be rewarding researchers who spend time to present evidence about how a security bug may be exploited. The monetary values of these bounties are also being essentially doubled. You can view the updated values for V8 exploits below:
High-quality report with functional exploit | High-quality report with evidence of exploit | Baseline | |
---|---|---|---|
Renderer RCE / memory corruption in a sandboxed process (in V8) | Up to $20,000 (from $10,000) | Up to $15,000 (from $7,500) | N/A |
Exploitation Mitigation Bypass (in V8) | Up to $10,000 (from $5,000) | Up to $6,000 (from $3,000) | N/A |
Google has noted that reporters who present evidence of exploitability also help the company in fixing bugs and planning future mitigations, so should be rewarded as such. It has also highlighted that even if a V8 security bug doesn"t fit into the aforementioned categories, it may still be eligible for a higher reward.
You can visit the Chrome VRP webpage to learn more about the program and what kind of documentation and evidence you need to produce to qualify for bonus tiers of rewards.