Key Takeaways Google has paid out over $59 million to bounty hunters for finding vulnerabilities in Chrome since 2010.

The Chrome VRP rewards structure has been revamped to offer higher payouts for different vulnerability classes.

Google's updated reward structure now includes separate categories for memory corruption issues and other vulnerabilities based on their impact.

Google's Chrome Vulnerability Reward Program (VRP) kicked off more than a decade ago in 2010, and since then, the company has paid bounty hunters more than $59 million in cumulative payments.

A major chunk of that figure was paid out in 2023, when Google rewarded over $10 million in payments to "600+ researchers based in 68 countries." However, as Chrome evolves, so do vulnerabilities, and in an effort to better reward security researchers and bounty hunters, Google is introducing a revamped reward structure.

"It is time to evolve Chrome VRP rewards and amounts to provide an improved structure and clearer expectations for security researchers reporting bugs to us and to incentivize high-quality reporting and deeper research of Chrome vulnerabilities, exploring them to their full impact and exploitability potential," reads Google's update.

The most important change being implemented is the separation of memory corruption issues from other vulnerability classes, with the vulnerability now failing under the following categories:

Memory Corruption Bugs

High-quality report with demonstration of RCE

High-quality report demonstrating controlled write

High-quality report of memory corruption

Baseline

According to the tech giant, rewards for baseline reports will remain consistent. Other categories, however, will now offer greater rewards, with the highest potential reward being $250,000 for a remote code execution (RCE) in a non-sandboxed process. This beats the current top payout $100,115 for a MiraclePtr bypass by a factor of more than two.

High-quality report with demonstration of RCE High-quality report demonstrating controlled write High-quality report of demonstrated memory corruption Baseline Memory corruption / RCE in a non-sandboxed process Up to $250,000 Up to $90,000 Up to $35,000 Up to $25,000 Memory corruption / RCE in a highly-privileged process (e.g. GPU or network processes) Up to $85,000 Up to $70,000 Up to $15,000 Up to $10,000 Memory corruption / RCE in a sandboxed process (e.g. renderer process) Up to $55,000 Up to $50,000 Up to $10,000 Up to $7,000

Rewards for other vulnerabilities

Other vulnerability classes have also been tweaked, with Google considering factors like the vulnerabilities' impact, ease of exploitability, and the degree of control the attacker might have over the exploitation process.

Unlike Memory Corruption Bugs, Google is also categorizing other vulnerabilities based on their impact.

High quality && High Impact High quality && Moderate Impact Baseline || Lower Impact UXSS || Site isolation bypass Up to $30,000 Up to $20,000 Up to $10,000 Security UI Spoofing Up to $10,000 ($7,500 previously) Up to $5,000 (N/A previously) Up to $3,000 ($3,000 previously) User information disclosure Up to $25,000 ($20,000 previously) Up to $10,000 (N/A previously) Up to $2,000 (same as before) Local privilege escalation Up to $15,000 Up to $5,000 Up to $2,000 Web platform privilege escalation Up to $7,000 ($5,000 previously) Up to $4,000 ($3,000 previously) Up to $1,000 (same as before) Exploitation Mitigation bypass Up to $5,000 (same as before) Up to $4,000 ($3,000 previously) Up to $1,000 (same as before)

All bonus rewards, including Bisect Bonus, Patch Bonus, and Fuzzer Bonus, remain active and consistent. The tech giant suggested that it would continue exploring more experimental reward opportunities, similar to the previous Full Chain Exploit Bonus.