Record-Breaking Payout: Google Awards $250,000 for a Critical Chrome Flaw (CVE-2025-4609)
Ddos 
A recently disclosed Chromium issue details a critical security vulnerability (CVE-2025-4609) discovered on April 23, 2025, by a security researcher. The flaw, classified as a Chrome browser sandbox escape, poses an exceptionally severe risk.
Interestingly, the researcher initially rated the vulnerability as medium severity, but after evaluation, Google engineers determined it to be highly dangerous. As a result, Google assigned it an S0/S1 severity levelβthe highest in its classificationβand prioritized the fix as P1.
According to the description, the flaw resided in the renderer process. An IPCZ error allowed the renderer to reuse browser process handles, enabling it to escape the sandbox and bypass multiple security boundaries designed to protect Chrome.
Google patched the vulnerability in a Chrome update released in May. With the 90-day disclosure period now elapsed, the full technical details have been made public for security researchers interested in analyzing the exploit.
For the researcher, this discovery proved exceptionally rewarding. After thorough assessment, Google deemed the bug both highly impactful and technically complex, awarding the maximum payout under the Chrome Vulnerability Reward Program (VRP)β$250,000.
Typically, Chrome security vulnerabilities yield rewards in the range of a few thousand dollars. The $250,000 payout is the programβs highest possible award and, to the best of public knowledge, the first time in at least a decade that the top reward has been granted.
Under the Chrome VRP guidelines, sandbox escapes and memory corruption vulnerabilities outside the sandbox can earn between $25,000 and $250,000, with the maximum awarded for high-quality reports that include a working remote code execution (RCE) proof of concept. Other process and memory corruption bugs are capped at $85,000.
Such a record-breaking $250,000 award is extraordinarily rare, underscoring both the exceptional quality of the submitted report and the critical severity of the vulnerabilityβfactors that led Google to grant its highest-ever bounty.
Related Posts:
- Google Awards Nearly $12 Million in 2024 to Security Researchers through Its Vulnerability Reward Program
- Intel re-launch Bug Bounty Program: The award is up to $250,000
- $60 Million and Counting: Microsoft Rewards Bug Bounty Hunters
- Mirai Botnet Unleashes Record-Breaking DDoS Attack, Cloudflare Thwarts Threat
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
