According to the researchers, one of the factors in the success of the Chromium bug bounty initiative is that the majority of the rewards are for only $500 or $1,000 and larger rewards are infrequent.
"Much like the lottery, a large maximum payout ($30,000 for Chrome), despite a small expected return (or even negative, as is the case of anyone who searches for bugs but never successfully finds any) appears to suffice in attracting enough participants," they pointed out.
But Google is obviously wise to the fact that the monetary incentives for the researchers need to be occasionally increased, and have done so repeatedly in the last few years.
The latest upswing has been announced on Monday, when Google's Chris Evans and Adam Mein divulged that bugs previously rewarded at the $1,000 level will now be considered for reward at up to $5,000.
"We’ll issue higher rewards for bugs we believe present a more significant threat to user safety, and when the researcher provides an accurate analysis of exploitability and severity," they wrote. "We will continue to pay previously announced bonuses on top, such as those for providing a patch or finding an issue in a critical piece of open source software."
They also shared that in the three years since they've launched both bounty programs, they have rewarded and fixed more than 2,000 security bug reports, which resulted in over $2 million being handed over to the deserving researchers.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.