Google has announced plans to triple the amount of cash available to those submitting their findings to its Vulnerability Reward Program (VRP) for Chrome in certain circumstances, with pots of up to $180,000 available until the start of December 2023.
In a press release, the browser maker said the first security bug report received with a functional full chain exploit, resulting in a Chrome sandbox escape, would be eligible for triple the regular full reward amount, which means $165,000-$180,000 could be on the cards.
On top of that life-changing sum, further bonuses could be potentially available. Furthermore, subsequent full chains submitted to Google via the VRP could be eligible for double the full reward amount (or $110,000-$120,000).
Google offers $180,000 to find Chrome bugs
Google explained that, to qualify for the largest sum of money, “exploitation must be able to be performed remotely and no or very limited reliance on user interaction.”
They should also be functional in an active release channel of Chrome, not a previous version, though this can include Dev, Beta, Stable, and Extended Stable channels.
According to the Chrome VRP page by Google’s Bug Hunters, further bonuses could be issued for identifying the earliest major release or oldest active release channel impacted by the vulnerability, for identifying the commit responsible for the vulnerability, and a handful of other reasons.
The VRP page also details how successful candidates who don’t wish to keep their reward can have it donated to charity in a process where Google will consider doubling the value as part of a charitable offering.
Full details of the Chrome Vulnerability Reward Program are available on Google’s dedicated website.