Chrome Extensions Vulnerability Reward Program Rules
The Chrome Extension VRP looks to reward security researchers for their efforts to improve the security of in-scope first-party Chrome extensions by reporting vulnerabilities they have identified.
Previously, similar vulnerabilities were in-scope under the Google & Alphabet VRP, however, we established the Chrome Extensions VRP to better define the scope and rewards of the program.
Scope
The following Chrome extensions are in scope of this program:
- Extensions in the ”By Google” collection
- Extensions in the default-installed extension list
- The Perfetto UI extension
Qualifying vulnerabilities
Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include:
- Cross-site scripting,
- Clickjacking,
- Cross-site request forgery,
- Authentication or authorization flaws.
Note that the scope of the program is limited to technical vulnerabilities in the Chrome extensions listed in the Scope section just above; please do not try to sneak into Google offices, attempt phishing attacks against our employees, and so on.
Out of concern for the availability of our services to all users, please do not attempt to carry out DoS attacks, leverage black hat SEO techniques, spam people, or do other similarly questionable things. We also discourage the use of any vulnerability testing tools that automatically generate very significant volumes of traffic.
Non-qualifying vulnerabilities
See our list of non-qualifying vulnerabilities for the Google VRP.
Reward amounts for vulnerabilities in Chrome extensions
We are looking for security vulnerabilities in Chrome extensions developed by Google (see the Scope section for more details).
The following table outlines the usual rewards chosen for the most common classes of bugs found in Chrome extensions.
Category | Minimal user interaction [1] | Multiple user interactions [2] |
---|---|---|
1) XSS [3] on extension origin | $10,000 | $5,000 |
2) UXSS [3], SOP bypass, or other high impact bugs which require a compromised renderer [4] | $500 - $5,000 | N/A |
3) (U)XSS [3] on sites through an extension bug | Based on the target tier defined in Google VRP. | Based on the target tier defined in Google VRP. |
4) Other valid security vulnerabilities | $500 - $7,500 | $500 - $5,000 |
[1] Bugs which only require a victim to visit a website + single user interaction on the page (e.g. a click).
[2] Any bugs requiring more user interactions than above. For example, a bug requires a victim to right-click on a link and then select “Open in a new tab” (to navigate to extension pages). An unreasonable amount of user interactions will be out of scope for a reward.
[3] XSS mitigated by CSP is not in scope. Please either find a CSP bypass or find other ways to demonstrate the impact of the bug.
[4] A bug requiring a compromised renderer must have a functional exploit. For example, given you can execute a script in the context of a content script (assuming that it was injected in an attacker-controlled page), you must demonstrate how that results in a significant compromise (e.g. account takeover).
The following additional criteria is applied to reports concerning Chrome extensions:
- Bonus – UXSS bugs in category 2) or 3) will receive a $1,000 bonus.
- Downgrades – Bugs in extensions with less than 1 million users are downgraded (i.e. $10k→7.5k, $7.5k→$5k, $5k→$3,133.7, $3,133.7→$1,337, $1,337→$500, $500→$0).
Investigating and reporting bugs
When investigating a vulnerability related to Chrome extensions, please, only ever target your own accounts. Never attempt to access anyone else's data and do not engage in any activity that would be disruptive or damaging to your fellow users or to Google.
Note: Visit our Bug Hunter University articles to learn more about sending good vulnerability reports.
If you have found a vulnerability related to Chrome extensions, please submit your report through the report form (report to Chrome Extensions VRP). Please be succinct: your report is triaged by security engineers and a short proof-of-concept link is more valuable than a video explaining the consequences of a specific bug type. If necessary, you can use this PGP key.
Note that we are only able to answer to vulnerability reports related to Chrome extensions. Non-security bugs and queries about problems with your account should instead be directed to Google Help Centers.
Frequently asked questions
Q: Are all Google-owned Chrome extensions in scope of this program?
A: No. Only Chrome extensions which are listed in the Scope section are eligible for a reward.
Legal points
We are unable to receive reports and/or issue rewards to individuals or entities that are on sanctions lists, or who are in territories subject to sanctions (e.g., Cuba, Iran, North Korea, Syria, Crimea, and the so-called Donetsk People's Republic and Luhansk People's Republic). Additionally, due to administrative difficulties, we no longer issue rewards to individuals or entities located in Russia.
You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law.
This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion.
Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own.