Ethical Hacking News
A researcher has earned $250,000 from Google for identifying a critical Chrome sandbox escape vulnerability, highlighting the importance of responsible disclosure in browser security. This achievement sets a new benchmark for browser security vulnerability reporting and underscores the evolving landscape of cybersecurity threats.
A researcher earned a $250,000 award from Google for identifying a critical sandbox escape vulnerability in Chrome. The vulnerability, tracked as CVE-2025-4609, allows attackers to escape the sandbox and achieve remote code execution. Google chose not to publicly disclose the vulnerability until after releasing the fix in Chrome 136. The researcher's contribution was recognized for demonstrating a "Chrome sandbox escape" with a high-quality report and functional exploit. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog in March 2025.
Chrome sandbox escape nets security researcher $250,000 reward
Pierluigi Paganini
August 11, 2025
A recent development in the world of browser security vulnerability reporting has left many in the cybersecurity community abuzz with excitement. Google, the dominant player in the web browser market, has awarded a staggering $250,000 to a researcher who successfully identified and reported a critical sandbox escape vulnerability in its Chrome browser. This remarkable achievement not only showcases the importance of responsible disclosure but also highlights the evolving landscape of browser security vulnerabilities.
The researcher, known by their handle as "Micky," earned this prestigious award for reporting a high-severity vulnerability tracked as CVE-2025-4609. The exploit, which leverages an incorrect handle provided in unspecified circumstances in Mojo, an attacker can use to escape the sandbox and achieve remote code execution. This flaw was addressed by Google with Chrome 136, but it is worth noting that the company chose not to publicly disclose the vulnerability until after releasing the fix.
Mojo, Chromium's inter-process communication (IPC) framework, designed for efficient communication between different processes within the browser, proved to be a fertile ground for this vulnerability. Mojo uses "message pipes" consisting of two endpoints (Remote and Receiver) that send and receive asynchronous messages using strongly-typed interfaces defined in special .mojom files. The issue at hand stems from an incorrect handle provided in unspecified circumstances in Mojo.
In a message sent to the researcher, acknowledging their contribution, Google praised Micky's report for demonstrating "a Chrome sandbox escape — while arguably there is a race here, this is a very complex logic bug and high-quality report with a functional exploit, with good analysis and demonstration of a sandbox escape." This endorsement underscores the significance of Micky's work and serves as an incentive for other researchers to prioritize responsible disclosure.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog in March 2025, marking it as a high-priority target for organizations to address. Google subsequently released out-of-band fixes to address the security flaw CVE-2025-2783 in Chrome browser for Windows.
This achievement not only sets a new benchmark for browser security vulnerability reporting but also underscores the evolving landscape of cybersecurity threats. As browsers continue to evolve and improve, so too do the tactics employed by attackers seeking to exploit these vulnerabilities. Researchers like Micky play a vital role in this cat-and-mouse game, identifying and reporting vulnerabilities that can be addressed by software vendors.
In conclusion, the $250,000 award given to researcher "Micky" for their work on the Chrome sandbox escape vulnerability serves as a testament to the power of responsible disclosure in improving browser security. As we continue to navigate the complex world of cybersecurity threats, it is essential that researchers like Micky remain vigilant and prioritize the identification and reporting of vulnerabilities like this one.
Related Information:
https://www.ethicalhackingnews.com/articles/A-250000-Reward-for-a-Chrome-Sandbox-Escape-A-New-Benchmark-in-Browser-Security-Vulnerability-Reporting-ehn.shtml
https://securityaffairs.com/181057/hacking/chrome-sandbox-escape-nets-security-researcher-250000-reward.html
https://nvd.nist.gov/vuln/detail/CVE-2025-4609
https://www.cvedetails.com/cve/CVE-2025-4609/
https://nvd.nist.gov/vuln/detail/CVE-2025-2783
https://www.cvedetails.com/cve/CVE-2025-2783/
Published: Mon Aug 11 14:12:35 2025 by llama3.2 3B Q4_K_M
