GoogleA security researcher has earned $250,000 from Google for reporting a critical Chrome vulnerability that allowed attackers to escape the browser’s sandbox. This is a new record payout from Google for a security flaw being exposed.
The flaw, tracked as CVE-2025-4609, was reported on April 22 by a researcher known as Micky. It affected Chrome’s Mojo inter-process communication system and was rated high severity by Google.
The issue was patched in mid-May with the Chrome 136 update, and details have now been made public.
“Congratulations! The Chrome Vulnerability Rewards Program (VRP) Panel has decided to award you $250000.00 for this report,” Google’s panel said.
Bug found was “very complex”
Micky’s proof-of-concept exploit achieved a sandbox escape and system command execution, demonstrated by opening the calculator app, with a success rate of around 70–80%. Google noted that exploitation would typically require a targeted user to visit a malicious website.
The $250,000 reward is the maximum payout available for a Chrome sandbox escape, only awarded for a high-quality report that includes a demonstration of remote code execution. Google described CVE-2025-4609 as a “very complex logic bug” and credited Micky with providing a functional exploit and strong analysis.
In 2024, Google paid out a total of $12 million through its bug bounty programs, with the highest single reward at the time being $110,000. This latest payout now sets a new record for the company’s Chrome rewards.
