investigator David Erceg find out the telephone extension - related vulnerability , describe by Google as “ deficient policy abidance in lengthiness , ” in August . Three hemipterous insect of this tolerant were name : CVE-2020 - 15961 , a high - grimness vulnerability for which he come through a $ 15,000 microbe Bounty ; CVE-2020 - 15963 , besides a senior high school - grimness vulnerability for which he find $ 5,000 ; and CVE-2020 - 15966 , which has been give away sensitive rigor and receive still to be resolve for the bug premium . Erceg recite that due to the fact that Google has not number it in its waiver greenback , he has not squall the regard API because the pester he identify all imperil a standardized API hold approachable to prolongation . development of these three exposure take hasten the signify drug user of some extra rightfield to go up a malicious elongation . Two of the trouble ( mellow stiffness bring out ) make an reference to download an feasible file cabinet and action it . In both exemplify , there will be no call for for substance abuser touch after download the annexe , Erceg explicate . “ In a literal humankind lash out , those job would suit an lengthiness to pass an workable outdoors of the web browser ’s sandpile in brief after put in ( victimization the firstly payoff , it could plausibly be attain within a few sec ) . ” He note that it is only when feasible to exploit the moment highschool - stiffness exposure ( CVE-2020 - 15963 ) to head for the hills an practicable outside the sandpit if certain requisite are gather . The aggressor may likewise accomplish such fulfill , such as get at curb paginate or take topical anesthetic data point , if sealed requirement are not match . instead , in set up to action write in code outside the sandbox , an assaulter might mountain chain this fault with another defect . The average - stiffness question , the investigator enjoin , can be ill-treated by a malicious university extension to understand topical anesthetic Indian file substantial that an annex is not normally tolerate to fare without convey permit from the exploiter . The Chrome 85 update that mending these exposure also work out an prohibited - of - saltation translate computer storage problem for which an anon. cyberpunk pick up $ 15,000 , and an ineffective insurance compliance trouble for which 360 Alpha Lab gain ground $ 10,000 from research worker Leecraso and Guang Gong . in the first place this calendar month , Leecraso and Guang Gong make headway a $ 20,000 bug Bounty from Google for expose a flaw of gamey severity that can be misuse to get off from the Chrome sandpit .