Comment by Cthulhu_

> Paying for a team or outside pentesters to attempt to find this would be _way_ more expensive.

But doesn't Google have teams of internal pentesters already? You could hire dozens of external companies and they might not find it.

This system is a "no cure, no pay" approach. I do think they should have paid the reporter a lot more though.