Comment by j0hnyl
1 year ago
Not sure about Google VRP, but I've gotten multiple payouts from Chrome over the years and I believe there's a schedule. The rewards panel meets every x weeks in order to award payouts on qualifying reports. Almost no bug bounty programs pay upon triage by the way, they pay after resolution.
I run a bug bounty program and I pay upon successful triage: while our engineering teams do have security SLA’s, it’s not fair to whomever reported the vulnerability to wait for our (sometimes broken) processes in order to be paid.