lgarron -- Do you know about how Safari warns before installing an extension from the file system?  Is it sufficiently low-friction (scary) that Chrome should block them?

Related:  crbug.com/599879 

Yes, Safari does ask before installing the extension.

"You can also get extensions directly from your favorite developers. When you download an extension from a developer, you get a file that ends with .safariextz. Double-click the file to install the extension. It isn't signed or hosted by Apple, so Safari asks you to confirm that you trust the source and want to install the extension."

Source: https://support.apple.com/en-us/HT203051

research@nightwatchcybersecurity.com: Thanks for reporting this issue.

According to the rules of reward program:
"The file type on disk must lead to non-sandboxed code execution after minimal user interaction with the file."
Source: https://www.google.com/about/appsecurity/chrome-rewards/index.html

Since installing a .safariextz that's not been signed by Apple requires the user to accept a prompt designed to defeat such installation, the interaction cannot be considered minimal.

Therefore, this bug does not qualify for the reward.

For all Download Protection VRP bugs: removing label Restrict-View-Google and adding Restrict-View-SecurityTeam instead.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot