Higher rewards of up to $250,000 will be given by Google for the discovery of memory corruption flaws in the Chrome browser shown to achieve remote code execution using a non-sandboxed process as part of a more robust vulnerability reward program, according to SecurityWeek.
Additional bounties could also be provided for proof-of-concept code enabling RCE without renderer compromise, according to Google, which will also offer up to $90,000 and up to $35,000 for reports detailing security flaws that could enable controlled write in a non-sandboxed process and memory corruption, respectively. Google has also upgraded rewards for reports demonstrating RCE in a highly-privileged process and those showing RCE in a sandboxed process to up to $85,000 and up to $55,000, respectively, although memory corruption baseline rewards have been maintained to encourage further research into discovered flaws. Also included in the strengthened VRP for Chrome is a $250,128 reward for MiraclePtr-bypassing flaws, up from the previous bounty of $100,115.
