A security researcher going by the handle Micky received a record payout from Google. The specialist discovered a bug in Chrome that allows bypassing the browser’s sandbox and earned $250,000 through the bug bounty program.
The vulnerability, assigned CVE-2025-4609, was discovered back in April 2025. It was then fixed in mid-May with the release of Chrome 136 (including in other Chromium-based browsers such as Edge, Opera, Vivaldi, and Brave). Now Google developers have disclosed the details.
The bug affected the ipcz Mojo library — a Chrome component that manages communication between the browser’s internal processes.
Google specialists classified the issue as high severity. They describe CVE-2025-4609 as a “very complex logical bug,” and characterize the researcher’s report as high quality, with solid analysis, noting that it included a working exploit to demonstrate a sandbox escape.
According to the researcher himself, his PoC exploit made it possible to bypass the sandbox and execute a system command (to demonstrate the issue, he launched the calculator) with a success rate of 70–80%. In fact, Micky found a way to manipulate Chrome’s internal processes and duplicate the browser’s parent process in order to run malicious code.
As a rule, exploiting such vulnerabilities requires the victim to visit a malicious site using a vulnerable version of Chrome.
It is worth noting that $250,000 is the maximum amount Google is willing to pay for Chrome sandbox escape vulnerabilities. Moreover, such a payout can only be expected if the bug report is of the highest quality and includes a demonstration of remote code execution.
The reward received by Micky is one of the largest payouts in Google’s bug bounty program to date, second only to the $605,000 award paid in 2022 to the security researcher known as gzobqq for a series of five Android vulnerabilities.