Did Microsoft pay the entire $75k? The people who found that issue reported it to multiple stakeholders, and their blog post[1] merely says they were awarded $75k in total. I assume the bulk of the bounties were paid by the service providers who failed to heed the warning in Microsoft's documentation.
Also, the Microsoft issue was far worse as it could be exploited by anyone; the Google issue requires a rogue employee or a misconfigured email ticketing system.
Did Microsoft pay the entire $75k? The people who found that issue reported it to multiple stakeholders, and their blog post[1] merely says they were awarded $75k in total. I assume the bulk of the bounties were paid by the service providers who failed to heed the warning in Microsoft's documentation.
Also, the Microsoft issue was far worse as it could be exploited by anyone; the Google issue requires a rogue employee or a misconfigured email ticketing system.
[1] https://www.descope.com/blog/post/noauth
On a second read you're probably right about it being multiple vendors paying out.