That’s right, Google pays you money if you find a exploit in Chromium.
The Chrome Reward Program was launched in January 2010 to help reward the contributions of security researchers who invest their time and effort in helping us to make Chrome and Chrome OS more secure. Through this program we provide monetary awards and public recognition for vulnerabilities responsibly disclosed to the Chrome project.
The have the following rewards
||High-quality report with
functional exploit 
|High-quality report 
||Low-quality report 
|Sandbox Escape 
||$2,000 – $5,000
|Renderer Remote Code Execution
||$1,000 – $3,000
|Universal XSS (local bypass or equivalent)
||$0 – $1000
 A high-quality report with a reliable exploit that demonstrates that the bug reported can be easily, actively and reliably used against our users.
 A report that includes a minimized test case and the versions of Chrome affected by the bug. You will also demonstrate that exploitation of this vulnerability is very likely (e.g. good control of EIP or another CPU register). Your report should be brief and well written with only necessary detail and commentary.
 A minimized test case or output from a fuzzer that highlights a security bug is present.
 A report submitted with only a crash dump, without a Proof of Concept (PoC) or with a poor quality PoC (e.g. a 1MB fuzz file dump with no attempt at reduction) that is later verified to be a legitimate issue.
 Escaping any layer of the sandbox (including the NaCl sandbox) will be considered as a sandbox escape.
Investigating and reporting bugs
All bugs should be reported via this form. Note that your submission is over HTTPS and does not require additional encryption. Bugs that are found in Google’s server-side services should be reported under the Google Vulnerability Rewards Program instead.
When investigating a vulnerability, please, only ever target your own computers. Never attempt to access anyone else’s data and do not engage in any activity that would be disruptive or damaging to your fellow users or to Google.
Note that we are only able to answer to technical vulnerability reports. Non-security bugs and queries about problems with your account should be instead directed to Google Help Centers.