Comment by kazinator

2 months ago

The discoverer had these choices:

- monetize the bug themselves; i.e. set up a site where you can submit a YouTube user id, pay some fee using your credit card and get an e-mail address.

- report that they have the ability to convert any YouTube id to an e-mail, with proof: then negotiate over compensation for the disclosure of the details

- just report the problem and be happy with whatever they get.

Ten grand doesn't look too bad for the most timid choice.

2 comments

kazinator

nightpool 2 months ago

Do any companies pay bounties for path #2? My understanding is that it's forbidden by most bounty programs since it could be seen as a form of extortion.

For #1, as tptacek says, it would be trivially easy for Google to shut a service like that down as soon as it was created, and prosecute the people running the service under the CFAA. Also, the amount of demand for that kind of data is pretty small given the number of email address databases already available online through legal means (e.g. Zoominfo, RocketReach, etc). It's a path filled with a lot of risk and not a ton of reward.

kazinator 2 months ago

In other words the more you think about it the better the $10k looks.