Comment by theK
1 year ago
> * August 7th - The issue was triaged
> * October 5th - Google paid $1337 for the issue
Is it just me or does it seem a bit odd that payout after triage took almost two full months? Initially I was positively surprised that they came up with a triage verdict within 2-3 days but what's the deal with the payout coming so late?
Not sure about Google VRP, but I've gotten multiple payouts from Chrome over the years and I believe there's a schedule. The rewards panel meets every x weeks in order to award payouts on qualifying reports. Almost no bug bounty programs pay upon triage by the way, they pay after resolution.
I run a bug bounty program and I pay upon successful triage: while our engineering teams do have security SLA’s, it’s not fair to whomever reported the vulnerability to wait for our (sometimes broken) processes in order to be paid.
It's pretty normal for large companies to take ages to pay up. The real problem here is this major bug only elicited a token $1337 payment.
> The real problem here is this major bug only elicited a token $1337 payment.
Agreed.
Yeah, definitely should have had a higher payout.