Why Is Google Paying Only $500 for a Critical V8 Out‑of‑Bounds Write Bug?

1. Event Recap: $500 to Buy an OOB Bug

The incident stems from Google’s recent fix of a V8 out‑of‑bounds write vulnerability (CVE‑2026‑9896). An OOB write allows an attacker to execute arbitrary code inside the browser process, effectively enabling stealthy, stable remote‑control tools. Such a bug would have fetched tens of thousands of dollars five years ago, yet Google paid only $500, a figure the author describes as a floor price.

2. Bounty Deflation: Money Loses Value, Bugs Get Harder to Find

2.1 Ten‑Year Bounty Shrinkage

In the early 2010s, a high‑quality sandbox‑escape bug could earn over $100,000 under Google’s Vulnerability Reward Program (VRP). Companies then heavily invested in security research. Recent years show three major shifts:

Pricing power highly concentrated : Google, Apple, and Microsoft dominate the bug‑buying market, leaving researchers with no bargaining power.

Oversupply of bugs : AI‑assisted discovery tools and automated scanners flood platforms with low‑ to medium‑severity reports, diluting scarcity.

Bounty caps keep dropping : The same class of bug now may be worth only $500, justified by “actual impact assessment,” even though the technical impact has not diminished.

2.2 What $500 Means

$500 is less than 4,000 CNY. Compared to a week’s salary for an average programmer, it is negligible. Discovering and analyzing a V8 OOB write requires deep JavaScript engine knowledge, extensive fuzzing, and weeks of debugging. On the black market, similar bugs can sell for dozens to hundreds of times the public bounty.

This amount is not a subsidy; it is an insult.

3. Why Bounties Keep Dropping

3.1 Platform Monopoly: Rules and Prices Set by the Same Entities

The bug‑bounty ecosystem suffers from a fundamental flaw: the platform acts as rule‑maker, evaluator, and payer. Researchers must follow strict responsible‑disclosure agreements that prohibit public discussion before a fix, effectively closing competition and giving platforms total pricing control.

The pricing logic serves the platform’s profit motive: lower payouts increase margins, and “impact assessment” becomes a flexible justification for price cuts.

3.2 AI Influx: Lowered Discovery Thresholds Without Matching Demand

AI‑assisted code‑audit tools (e.g., GPT‑4, Claude) can scan codebases and output potential vulnerabilities, dramatically reducing the cost of finding low‑ to medium‑severity bugs. However, enterprise security budgets have not grown proportionally, so the market is flooded with reports that command lower fees because “anyone can find them.”

The actual danger of the vulnerabilities remains unchanged; only the ease of discovery has improved, leading to pricing based on “knife sharpness” rather than potential damage.

3.3 Structural Suppression: Disclosure Rules Strip Researchers of Negotiation Leverage

Responsible‑disclosure agreements, originally meant to protect users, now function as price‑suppression tools. After submission, researchers enter a prolonged “waiting for fix” window during which the bug details remain confidential, leaving them powerless.

Platforms can delay, pressure, or impose stricter contracts without any recourse for the researcher, turning the relationship into unilateral rule enforcement.

4. Domestic Lessons: Same Script, Lower Prices

4.1 The Chill Is Real

The issue is not limited to Silicon Valley. In China, security researchers have long complained about low payouts. AI‑driven tools have similarly surged, causing a sharp rise in reported bugs while bounty amounts keep falling. For a leading internet company, a high‑severity bug that fetched 20–30 k CNY in 2023 dropped to a few thousand CNY by 2025—a decline of over 80%.

Domestic platforms typically offer lower rates than their international counterparts; a sandbox‑escape bug may only earn a few thousand RMB, creating “different work, same pay” conditions.

4.2 Specific Challenges in China

Information asymmetry is more severe: researchers lack visibility into other platforms’ pricing, making cross‑platform comparison difficult.

Alternative channels are limited; western bug‑buying platforms like Zerodium are inaccessible, leaving public bounties as the primary compliant monetization path.

Enterprise security awareness varies widely, with many small‑to‑mid‑size firms allocating minimal budgets for vulnerability remediation, further suppressing market demand.

4.3 Need for Change

China needs more outspoken voices like C2IRIS to demand transparent pricing standards and introduce competitive market mechanisms; otherwise, researchers will increasingly abandon public bounty programs in favor of private deals.

5. Conclusion: Don’t Let $500 Destroy the Industry

For a giant like Google, $500 is negligible, but for a security researcher it can erase a month’s worth of effort. When incentive structures systematically demotivate researchers, the ultimate victims are everyday users who rely on secure browsers.

Red teams are not cheap labor, and vulnerabilities are not free lunches for platforms. If bounty pricing does not evolve, more talented researchers will “vote with their feet,” leaving public programs and moving to private transactions, jeopardizing overall security.

Who will protect us then?