Google has awarded a historic reward of $250,000 to the security researcher known as Micky for discovering a critical vulnerability in the architecture of the Chrome browser. This vulnerability made it easier for malicious websites to escape Chrome’s sandbox protection, allowing arbitrary code execution on victims’ systems.
A historic reward
The failure was due to an error in Chrome’s Inter-Process Communication system, particularly within the IPCZ transport mechanism. According to the details provided, the error was in the Transport::Deserialize function, where the system did not adequately validate the header.destination_type parameters before creating transport objects. This allowed a malicious rendering process to manipulate this parameter to impersonate a privileged broker process.
The required attack vector was a multi-step process in which a compromised renderer sent manipulative messages to take control of the browser process resources. The proof of concept of the exploit demonstrated the ability to bypass the sandbox by duplicating handles of privileged browser processes, which included full permissions to execute system commands.
The decision to grant such a high reward reflects not only the sophistication of the exploit but also Google’s commitment to incentivizing security research, especially in critical areas of its browser. The vulnerability was responsibly disclosed on April 22, 2025, and Google’s security team, led by Alex Gough, implemented fixes in May 2025. These included the removal of transitive trust from transports and the implementation of stricter validation of the reliability of endpoints within the IPCZ system.
This event underscores the importance of collaboration between security researchers and technology companies to maintain the integrity and security of digital platforms.
