Chrome bug hunters can earn up to $250,000 for serious vulnerabilities now – here’s how

Estimated read time 3 min read


Google Chrome

Yasin Baturhan Ergin/Anadolu via Getty Images

It’s unfortunate that as technology improves, so do the threats. Bad actors are constantly on the hunt for new ways to exploit unintended or overlooked flaws. Google, recognizing this issue, has updated the reward structure for its Chrome Vulnerability Reward Program (VRP) in an effort to incentivize “deeper security research.”

The money bug hunters can earn moving forward is much higher than before. Now the most you can win on a single issue is $250,000. To earn this bounty, you must perform two important tasks. First, you’ll need to locate a memory corruption bug inside a non-sandboxed process. 

Also: 5 ways to improve your Chrome browser’s security

Memory corruption is when a software’s memory is altered in some way, causing abnormal behaviors. A non-sandboxed process refers to an exploit that can affect all aspects of an app. In this case, the app is Chrome browser. The second criterion is you must provide a “high-quality report” demonstrating remote code execution (RCE). Doing so could net you that quarter of a million dollars. Previously, the maximum amount was capped at $40,000.

From there, the cash prizes decrease as memory corruption bugs become less severe. Demonstrating remote execution in a controlled environment may win you up to $90,000. A report showing active memory corruption could earn you $35,000 max. 

Keep in mind that none of these prizes are guaranteed. Google still needs to review your work. 

There are other scenarios where the tech giant is offering an increased reward. For example, if you locate a memory corruption bug inside “a highly-privileged process,” you could receive up to $85,000. Finding the same exploit in a sandboxed process has a maximum $55,000 reward.

Also: Stop paying for antivirus software. Here’s why you don’t need it

Google is putting a lot of emphasis on locating memory corruption vulnerabilities, but it is also updating the prize structure for other security flaws. What you can get depends on whether something is considered high or low impact. For example, finding a site isolation bypass flaw may net you up to $30,000. Sniffing out a security UI spoofing exploit gives $10,000.

Additionally, the MiraclePtr Bypass Reward has increased exponentially — more than doubled, in fact, from $100,115 to $250,128. You can also win bonus cash prizes. “Identifying the specific commit that introduced the bug” gives a cool $1,000.

If you’re looking for ways to protect yourself online, check out ZDNET’s list of the best identity theft protection and credit monitoring services list.





Source link

You May Also Like

More From Author

+ There are no comments

Add yours