Are any vendors offering no questions asked X$/0day rewards all year long instead of dedicated events? Seems like it would be a decent move. If the going rate is really in the 50k ballpark why can't say Google offer 10-20k per Chrome exploit?
Their engineers don't make peanuts and the attacks on the software happen regardless. After a year or two you'd probably have a pretty secure system for a reasonable cost.
I don't think there's much negative press involved either if you spin it a la "we have the best security experts in the world attack our software and fix it asap".
+You might pull off a decent talent grab or two as long as you understand how the people would like to work (probably not from a google office)
Google's bug bounty is $3,133.70 (elite). The black market can pay $80k-200k+[1]. Why doesn't Google pay more? Well, like you said, "attacks on the software happen regardless". Their objective is to maximize shareholder value. People adopt browsers for other reasons besides maximum security. You hear about critical vulnerabilities all the time, to the point where you get desensitized to it. I don't think there's been a bug out there that caused people to dump a browser en masse.
The bug bounty is for a security bug with no exploit. That makes it a lot less work for the security researcher. See the release notes on the Google Chrome blog for details of bounties paid.
Google also sponsors Pwn2Own and Pwnium with bigger prizes for bugs with working exploits.
Their engineers don't make peanuts and the attacks on the software happen regardless. After a year or two you'd probably have a pretty secure system for a reasonable cost.
I don't think there's much negative press involved either if you spin it a la "we have the best security experts in the world attack our software and fix it asap".
+You might pull off a decent talent grab or two as long as you understand how the people would like to work (probably not from a google office)