Google has launched an experimental programme to encourage external security researchers to find and report vulnerabilities in its browser. Borrowing from the Mozilla Foundation’s 2004 Security Bug Bounty Program, $500 will be awarded for each bug found. In special cases, a committee will decide whether to increase the amount to a maximum of $1,337 – however, this reward is only for vulnerabilities which are particularly critical, or particularly smart reports on vulnerabilities and their exploitation.
According to Google, it doesn’t matter whether the vulnerability is in the open source Chromium version or the binary Chrome version. The two differ only marginally anyway – Chrome additionally contains GoogleUpdater and sends an RLZ parameter which is forwarded to Google when a search term is entered in the Chrome address bar. The company will not be offering rewards for reports of bugs in third-party plug-ins.
Details in The Chromium Blog: Encouraging More Chromium Security Research