Google's Chrome Vulnerability Rewards Program (VRP) is now significantly more rewarding – with a top payout that is at least twice as large.

Citing the challenge of finding consistent, exploitable bugs in its Chrome browser after 16 years in release, Amy Ressler, Information Security Engineer at Chocolate Factory, explained that it was time to rethink Chrome VRP rewards to incentivize higher quality bug reporting and deeper research about Chrome vulnerabilities.

Google's approach, according to Ressler, reflects a move away from a list of specific rewards that have separated memory corruption problems from other classes of vulnerabilities. In recent years, memory safety has become an industry and government priority because the majority of meaningful bugs in large C++ codebases such as Chrome are due to flaws such as use-after-free and buffer overflows.

Google's new reward structure for memory corruption bugs focuses on four vulnerability categories: high-quality remote code execution (RCE) demonstration report; high-quality report showing controlled writing to an arbitrary memory location; high quality memory corruption report; and a baseline report consisting of a stack trace and proof-of-concept exploit code.