I wonder why Microsoft doesn't have a similar program. Hotmail just got hacked pretty bad, and the hackers were selling the vulnerability for chump change in forums. What if they had an incentive to report it to Microsoft instead?
That's pretty much the whole story. It was a quick email thread between a few people in Chrome Security and Google Security.
Not worth it for him.
Google could deduct it either way - either as a donation or as a business expense.
The rules for paying tax are different for corporations (which incidentally is one of the reasons some self employed programmers incorporate).
xkcd's take: http://xkcd.com/871/
You could also do clever things with type systems in a language with sufficiently complex type checking, but nobody seems to do that either.
Unfortunately our industry rewards getting stuff done, and not getting stuff done right. (PHP being an extreme example.) So this state of affairs is likely to remain.
Of course, InformationWeek might like to actually fix that bug. Sometime soon?
It's a good writeup about the post-xss world and what kind of attacks are still exist.