Comment by makeitdouble
2 months ago
The reputation angle shouldn't be dismissed: Google paying so little for this bug is the whole reason this article stays on the top page and gets so much discussion.
I don't know how much it should be worth, but at least there's a PR effect and it's also a message towards the dev community.
I see it the same way ridiculously low penalty for massive data breaches taught us how much privacy is actually valued.
If Google doesn't have the best reputation of any large tech company for security, it's in the top 3. This is not the nightmare scenario for Google that people think it is. It's a large payout for this bug class, so, if anything, what we're doing here is advertising for them.
I'm in all agreement (genuinely thankful for the context you brought on the difference in market values for this category of bugs), which is also part of why it's sobering privacy bugs have such a low valuation and this is set as a high payout.
For security researchers it's apparently obvious, but from the outside it's another nail in the coffin of how we want to think about user data (especially creators, many being at the front line of abuse already). As you point out Google here is only the messenger, but we'll still remember the face that delivered the bitter pill for better and worse.
Globally, how many people are there presently salivating at the thought of US$10,000 for a bug bounty?
How many young computer enthusiasts / aspiring security researchers are motivated to learn more because they see, what to them are, massive payouts.
You or I might not get out of bed for the hourly rate that translates to, fine by me - I have a job that pays the figure I negotiated.
Bug bounty programs pay the market clearing rate, always. One bug, two market participants, one price.