Google has significantly increased payouts for security vulnerabilities in Google Chrome, with the maximum reward for a single bug now exceeding $250,000.
This enhancement is part of Google’s efforts to strengthen its Vulnerability Reward Program (VRP), which incentivizes security researchers to find and report flaws in the Chrome browser.
Starting today, Google will offer differentiated rewards based on the quality of the reports and the thoroughness of the research. For instance, basic reports that demonstrate Chrome memory corruption with stack traces and a proof-of-concept can earn up to $25,000. However, more comprehensive reports that include remote code execution (RCE) demonstrations through functional exploits could earn much higher rewards.
Chrome Security engineer Amy Ressler emphasized the importance of evolving the VRP rewards to motivate researchers to conduct deeper investigations into Chrome vulnerabilities. “It is time to evolve Chrome VRP rewards and amounts to provide an improved structure and clearer expectations for security researchers reporting bugs to us and to incentivize high-quality reporting and deeper research of Chrome vulnerabilities,” Ressler stated.
The highest potential reward now stands at $250,000 for a demonstrated RCE in a non-sandboxed process. If this can be achieved without a renderer compromise, the reward may be even higher, incorporating the renderer RCE reward.
In addition to these increases, Google has also doubled the reward for MiraclePtr bypasses, boosting the payout from $100,115 to $250,128. The company will continue categorizing vulnerabilities into different impact levels—low, moderate, and high—based on their exploitability and potential harm to users.
All reports are still eligible for bonus rewards if they meet certain criteria, and Google plans to explore more experimental reward opportunities similar to the previous Full Chain Exploit Reward. However, reports that lack demonstrable security impact or user harm, or are purely theoretical, may not qualify for a VRP reward.
