Google offers a wide range of software solutions and services for both regular users and businesses. The company has its own testing teams to find potential bugs and vulnerabilities. However, they also have bounty programs that encourage external researchers to participate in the process. Now, the company is restructuring its payment scheme to find vulnerabilities in Chrome.
Recently, Google shut down the Google Play Security Reward Program (GPSRP). They made the decision based on the platform’s maturity and the effectiveness of the company’s malware detection tools. However, there are other segments that still require the assistance of external researchers, such as AI-based platforms and Chrome, the protagonist of this article. For the latter, Google has the Chrome Vulnerability Reward Program (VRP).
Google launches new payment scheme for Chrome vulnerability research
Google debuted Chrome’s VPR 14 years ago, tweaking the rewards from time to time according to the needs of the platform. Now, the company is making a new restructure that seeks to “incentivize high-quality reporting and deeper research of Chrome vulnerabilities, exploring them to their full impact and exploitability potential.” The changes involve up to twice as high rewards for some vulnerabilities, such as MiraclePtr-related ones.
Chrome’s new VPR structure separates vulnerabilities into two main segments. There are now “memory corruption vulnerabilities” and “other vulnerabilities.” The memory corruption findings are divided into four categories: High-quality report with demonstration of RCE (involves remote code execution), high-quality report demonstrating controlled write (involves memory writing by the attacker), high-quality report of memory corruption, and baseline (demo of triggerable memory corruption in Chrome).
In each category, there are certain parameters that determine the payment for the findings. For instance, ascertain whether the processes are sandboxed (isolated or under controlled environments), not sandboxed, or highly privileged. The table below illustrates the new payout scheme for memory corruption vulnerabilities.
Then, as the segment name suggests, “other vulnerabilities” houses the ones not related to memory corruption. The company is implementing a “more deterministic” approach. There are now three categories based on the report’s quality and the vulnerability’s impact on users. There are “Lower impact”, “Moderate impact”, and “High impact.” The new payment scheme for this section is as follows:
Payments for MiraclePtr vulnerabilities rise significantly
Finally, a change has been made to the rewards system for vulnerabilities based on MiraclePtr. In Chrome, there are Use-After-Free (UAF) vulnerabilities that basically result in excessive or incorrect use of dynamic memory. You’ve probably heard how “greedy” Chrome is with memory, and this is one of the reasons. In recent years, Google has largely mitigated the related problems. MiraclePtr is one of the measures taken by the Mountain View giant. The MiraclePtr project basically prevents UAFs from leading to security risks or memory leaks.
Previously, the maximum reward for finding MiraclePtr vulnerabilities was $100,115. Now, the company is raising this figure to $250,128. Plus, the company is no longer labeling vulnerabilities present in non-renderer processes as “security bugs.” Basically, as the difficulty increases, so does the reward.
