Tech & Startup

Google to pay up to $250,000 to find bugs in Chrome

Google Chrome Vulnerability Rewards Program (VRP)
Google’s new structure for Chrome Vulnerability Rewards Program (VRP) is more detailed and splits bugs into different categories based on how dangerous they could be. Image: Deepanker Verma/Pexels

To keep Google Chrome safe, the tech giant has been running a program called the Chrome Vulnerability Rewards Program (VRP) for the past 14 years. This program rewards security researchers—people who find and report bugs or vulnerabilities in software—with cash prizes of up to $250,000.

According to Google, as Chrome has become more secure over the years, finding significant bugs has become harder. To encourage more thorough and high-quality research, Google has recently updated the reward structure of this program. The new system is designed to make it clearer how much a bug is worth, depending on its impact, and to encourage researchers to dig deeper into the vulnerabilities they find.

How the new reward structure works

Google's new reward structure is more detailed and splits bugs into different categories based on how dangerous they could be. Here's a simple breakdown:

Memory corruption bugs

Memory corruption bugs are serious because they can cause a program to crash or let an attacker take control of a system. Google has divided these into several levels:

Remote Code Execution (RCE): This is when a bug lets someone run harmful code from a distance. If someone finds this kind of bug and show how it works, they could earn up to $250,000.

Controlled write: If a bug allows someone to write data to any part of a system's memory, the reward can be up to $90,000.

Memory corruption: Bugs that mess with how memory is handled but aren't as severe as the ones above can still bring in up to $35,000.

Basic report: Even a report that shows memory corruption without detailed exploitation can earn up to $25,000.

Google wants researchers to go the extra mile to show how dangerous a bug could be, which is why the rewards are higher for more detailed reports.

Other types of bugs

Not all bugs are about memory corruption. Google also offers rewards for other kinds of vulnerabilities:

High impact: These are bugs that are easy to exploit and can cause serious harm to users. Finding and explaining one of these could earn up to $30,000.

Moderate impact: These bugs are harder to exploit but still pose a risk, with rewards up to $20,000.

Lower impact: Even bugs with less potential for harm can earn up to $10,000.

Google has also increased rewards for certain specialised bugs. For example, if you find a way to bypass a specific security feature called MiraclePtr, you could earn up to $250,128.

For people who are into computer security, this updated reward program can potentially be a good deal. It not only offers more money for finding bugs but also encourages researchers to fully explore the potential dangers of the vulnerabilities they discover. 

To learn more about this program, check Google's official announcement here

Comments

Google to pay up to $250,000 to find bugs in Chrome

Google Chrome Vulnerability Rewards Program (VRP)
Google’s new structure for Chrome Vulnerability Rewards Program (VRP) is more detailed and splits bugs into different categories based on how dangerous they could be. Image: Deepanker Verma/Pexels

To keep Google Chrome safe, the tech giant has been running a program called the Chrome Vulnerability Rewards Program (VRP) for the past 14 years. This program rewards security researchers—people who find and report bugs or vulnerabilities in software—with cash prizes of up to $250,000.

According to Google, as Chrome has become more secure over the years, finding significant bugs has become harder. To encourage more thorough and high-quality research, Google has recently updated the reward structure of this program. The new system is designed to make it clearer how much a bug is worth, depending on its impact, and to encourage researchers to dig deeper into the vulnerabilities they find.

How the new reward structure works

Google's new reward structure is more detailed and splits bugs into different categories based on how dangerous they could be. Here's a simple breakdown:

Memory corruption bugs

Memory corruption bugs are serious because they can cause a program to crash or let an attacker take control of a system. Google has divided these into several levels:

Remote Code Execution (RCE): This is when a bug lets someone run harmful code from a distance. If someone finds this kind of bug and show how it works, they could earn up to $250,000.

Controlled write: If a bug allows someone to write data to any part of a system's memory, the reward can be up to $90,000.

Memory corruption: Bugs that mess with how memory is handled but aren't as severe as the ones above can still bring in up to $35,000.

Basic report: Even a report that shows memory corruption without detailed exploitation can earn up to $25,000.

Google wants researchers to go the extra mile to show how dangerous a bug could be, which is why the rewards are higher for more detailed reports.

Other types of bugs

Not all bugs are about memory corruption. Google also offers rewards for other kinds of vulnerabilities:

High impact: These are bugs that are easy to exploit and can cause serious harm to users. Finding and explaining one of these could earn up to $30,000.

Moderate impact: These bugs are harder to exploit but still pose a risk, with rewards up to $20,000.

Lower impact: Even bugs with less potential for harm can earn up to $10,000.

Google has also increased rewards for certain specialised bugs. For example, if you find a way to bypass a specific security feature called MiraclePtr, you could earn up to $250,128.

For people who are into computer security, this updated reward program can potentially be a good deal. It not only offers more money for finding bugs but also encourages researchers to fully explore the potential dangers of the vulnerabilities they discover. 

To learn more about this program, check Google's official announcement here

Comments