A security researcher going by the handle “Micky” recently earned a record-breaking $250,000 reward from Google for discovering a critical Chrome sandbox escape vulnerability. This represents one of the highest bug bounty payouts in Google’s Chrome Vulnerability Reward Program (VRP) history, matching the program’s maximum possible award.
The Vulnerability (CVE-2025-4609)
The security flaw, tracked as CVE-2025-4609, was discovered on April 23, 2025, and resided in the ipcz library of Mojo, a Chrome component responsible for managing how the browser’s internal processes communicate with each other. The vulnerability allowed an attacker to manipulate internal Chrome processes and duplicate the browser’s own parent process to run malicious code in the duplicate.
More specifically, an IPCZ error enabled the renderer process to reuse browser process handles, allowing it to escape the sandbox and bypass multiple security boundaries designed to protect Chrome users. This type of exploit could potentially allow attackers to gain unauthorized access to a user’s system through a malicious website.
Discovery and Assessment
Initially, the researcher rated the vulnerability as medium severity, but Google’s security engineers determined it to be far more dangerous after evaluation. Google subsequently assigned it an S0/S1 severity level—the highest in their classification system—and prioritized the fix as P1.
The researcher was reportedly inspired by a previous Chrome vulnerability from March 2025, CVE-2025-2783, which was a zero-day exploit used in the wild by the TaxOff APT group in attacks targeting Russian organizations.
The Record-Breaking Reward
Google awarded the maximum $250,000 payout because the vulnerability was considered “a very complex logic bug,” and the researcher provided a detailed write-up along with functional proof-of-concept (PoC) demonstrations. Under Chrome VRP guidelines, sandbox escapes and memory corruption vulnerabilities outside the sandbox can earn between $25,000 and $250,000, with the maximum typically reserved for high-quality reports that include working remote code execution proof of concepts.
This $250,000 reward represents the first time in at least a decade that Google has awarded the top bounty amount for a Chrome vulnerability. For context, this makes it one of Google’s highest bug bounty payments ever, behind only a $605,000 reward paid in 2022.
