Of course, not just any bug will do—no need to spell check the GUI. The goal is to minimize security vulnerabilities in the browser, so only bugs along those lines will be eligible. They’re focusing on “high and critical impact” bugs, but “clever vulnerabilities” of any security level could be rewarded as well. To submit the bug, just use the usual Chromium bug tracker with the Security Bug template.
The maximum payout, of course, is reserved for bugs whose impact would be severe if not fixed. The dollar amount is a “clever” nod to the leet speak used among hackers. In the blog post, Google gives a nod to their inspiration, the Mozilla vulnerability reward program.
Most developers will be eligible to participate, however, “residents of countries where the US has imposed the highest levels of export restriction (e.g. Cuba, Iran, North Korea, Sudan and Syria)” cannot receive rewards, nor can minors (though Google says they’ll work with an adult representing a minor). Participants are also asked not to publicly disclose reported bugs until Google addresses them—then they’re free to speak openly.
What do you think? Did your weekend plans just change ?