Google Awards $100K for Two Critical Chrome Vulnerabilities

Google Chrome has awarded a total of $100,000 in bug-bounty payouts for two critical vulnerabilities, highlighting the high stakes in modern browser security. The payouts accompany the rollout of Chrome version 142.0.7444.59/60, which addresses 20 reported security issues, including seven high-severity flaws. Among them are four vulnerabilities impacting the browser’s V8 JavaScript Engine and WebAssembly components.

One of the rewards, $50,000, was given to Man Yue Mo of GitHub Security Lab for reporting CVE-2025-12428, a type-confusion issue in V8.

A second payment of $50,000 went to Aorui Zhang for disclosing CVE-2025-12429, an “inappropriate-implementation” defect in the same JavaScript engine. Google has not released full technical details of the flaws, though it acknowledges they may allow remote-code execution if exploited.

Browsers are one of the most accessible attack surfaces for threat actors. With vulnerabilities in Chrome’s core engine, malicious actors could potentially execute arbitrary code, bypass security sandboxes, or take control of user systems. The high reward payouts demonstrate Google’s assessment of the risk severity.

All users of Chrome 142 should update immediately to ensure they’re protected. Affected platforms include:

• Windows and Linux: version 142.0.7444.59
• macOS: version 142.0.7444.60

Enterprise administrators should verify update deployment across endpoints and monitor for any signs of attempted exploitation. Given the reward size and bug nature, you should assume an exploit could already be in circulation.