V8 exploits – so hot right now
Previously exploits had to be fully functional to be rewarded at the highest tier – ‘high-quality report with functional exploit’ – and qualify for Google’s top tier of bug bounty pay-outs.
“Demonstration of how a bug might be exploited is one factor that the panel may use to determine that a report is ‘high-quality’, our second highest tier, but we want to encourage more of this type of analysis,” says Chrome Vulnerability Rewards panellist Martin Barbella in a blog post.
“This information is very useful for us when planning future mitigations, making release decisions, and fixing bugs faster. We also know it requires a bit more effort for our reporters, and that effort should be rewarded.”
Start your engines
Reports qualifying for the new bonus will get double the previous amount. A high-quality report with functional exploit of a renderer or remote code execution/memory corruption in a sandboxed process, for example, will now net its discoverer up to $20,000.
And researchers shouldn’t have to jump through too many hoops to qualify for the new rewards.
“Any V8 bug report which would have previously been rewarded at the high-quality report with functional exploit level will likely qualify with no additional effort from the reporter. By definition, these demonstrate that the issue was exploitable,” says Barbella.
“V8 reports at the high-quality level may also qualify if they include evidence that the bug is exploitable as part of their analysis.”
There’s more information on changes to the Chrome Vulnerability Reward Program here.