A researcher has earned a $250,000 bug bounty from Google for a Chrome vulnerability that can be exploited to escape the web browser’s sandbox.
The vulnerability, tracked as CVE-2025-4609, was reported to Google on April 22 by a researcher who uses the online moniker ‘Micky’. The issue was patched in mid-May with a Chrome 136 update, and details have now been made public by Google.
The security flaw, which impacts Chrome’s Mojo inter-process communication system, has been assigned a ‘high severity’ rating by Google.
The researcher said his PoC exploit achieved a sandbox escape and system command execution — he opened the calculator app to demonstrate the exploit — with a success rate of 70-80%.
Exploitation of these types of security holes typically requires the targeted user to visit a malicious website.
$250,000 is the maximum reward that Google is prepared to pay out for a Chrome sandbox escape vulnerability, but the amount can only be earned for a submission that includes a high-quality report with demonstration of remote code execution.
Google described CVE-2025-4609 as a “very complex logic bug and high quality report with a functional exploit, with good analysis and demonstration of a sandbox escape”.
Google said earlier this year that it paid out a total of $12 million through its bug bounty programs in 2024 and the highest single reward was $110,000.
Related: Google Pays Out $55,000 Bug Bounty for Chrome Vulnerability
Related: Google Discloses Data Breach via Salesforce Hack
Related: Vulnerabilities Exposed Phone Number of Any Google User
