It's a good time to be a security expert. Late last week, Mozilla gave its maximum reward for critical bugs a massive bump from the $500 mark it has been at since the launch of the bug bounty program to $3,000.  Mozilla stated:

For new bugs reported starting July 1st, 2010 UTC we are changing the bounty payment to $3,000 US per eligible security bug. A lot has changed in the 6 years since the Mozilla program was announced, and we believe that one of the best way to keep our users safe is to make it economically sustainable for security researchers to do the right thing when disclosing information," Adamski wrote in a blog post. "We have also clarified the products covered under the bounty to better reflect the threats we are focused upon. We still include Firefox and Thunderbird obviously, but we also added Firefox Mobile and any Mozilla services that those products rely upon for safe operation.

Any original, unreported remote exploit bug that's present in beta or release versions of Firefox or Thunderbird is eligible for the big reward.

Apparently in response, Google this week bumped its top reward for finding SecSeverity-Critical bugs in Chromium (the Chrome browser's engine) to $3,133.70.  It reminds eager researchers that the majority of bugs (less serious) will fetch only $500.

It writes that the program has been a resounding success, stating:

It has been approximately six months since we launched the Chromium Security Reward program. Although still early days, the program has been a clear success. We have been notified of numerous bugs, and some of the participants have made it clear that it was the reward program that motivated them to get involved with Chromium security.

We maintain a list of issued rewards on the Chromium security page. As the list indicates, a range of researchers have sent us some great bugs and the rewards are flowing! This list should also help answer questions about which sort of bugs might qualify for rewards.

In related news, Google also appears to be leaning increasingly towards support of a policy of full disclosure.  Full disclosure means releasing bugs to both the company effected and hacker community either simultaneously or near simultaneously; a very different idea than releasing bugs/exploits to companies only and waiting for them to be fixed.

Google says "responsible" disclosure isn't necessarily the best policy to protect users at it encourages complacency.  It says that instead, full disclosure 60 days after disclosure to the software vendor is the best policy.

It writes:

Accordingly, we believe that responsible disclosure is a two-way street. Vendors, as well as researchers, must act responsibly. Serious bugs should be fixed within a reasonable timescale. Whilst every bug is unique, we would suggest that 60 days is a reasonable upper bound for a genuinely critical issue in widely deployed software. This time scale is only meant to apply to critical issues. Some bugs are mischaracterized as “critical", but we look to established guidelines to help make these important distinctions — e.g. Chromium severity guidelines and Mozilla severity ratings.

That's a pretty progressive stance, considering that many effected companies have suggested that those who fully disclose are essentially cybercriminals.  The idea of full disclosure is nothing new -- it was championed way back in the late 1990s by the site Inside-Aol.com, which featured such security researchers as Tatiana Gau and Adrian Lamo aggressively publishing exploits about the company's site and services.  The industry's more progressive players (Google, Mozilla, etc.) seem to have slowly shifted towards support of full disclosure, though, after witnessing its beneficial effects.