This is an appealing program and makes it legitimate to get paid for vuln research. The other group that pays for vulnerabilities is the zero-day initiative. Here: http://www.zerodayinitiative.com/
That said, since we're kind of a free-market bunch of folks here, what do you think these vulnerabilities are worth on the black market? Just curious if the prices are competitive vs. selling to Russian black hats.
Other companies will pay for bugs. Mozilla has a bug bounty too; a 12 year old kid just took $3000 for finding a stack overflow in document.write(). There are also other 3rd-party bug buying organizations; iDefense is one of them.
The prices are not competitive versus finding illicit markets for vulnerabilities (as I understand it, it's not that there's one "Russian mafia" that will pay you 3x what Mozilla will, but rather than exploits can be repackaged for multiple illicit buyers). Selling to Google or Mozilla doesn't require a reliable exploit, though.
These figures are also a pittance compared to what companies pay for professional assessment work.
That said, since we're kind of a free-market bunch of folks here, what do you think these vulnerabilities are worth on the black market? Just curious if the prices are competitive vs. selling to Russian black hats.