Comment by makeitdouble
2 months ago
I'm in all agreement (genuinely thankful for the context you brought on the difference in market values for this category of bugs), which is also part of why it's sobering privacy bugs have such a low valuation and this is set as a high payout.
For security researchers it's apparently obvious, but from the outside it's another nail in the coffin of how we want to think about user data (especially creators, many being at the front line of abuse already). As you point out Google here is only the messenger, but we'll still remember the face that delivered the bitter pill for better and worse.
Globally, how many people are there presently salivating at the thought of US$10,000 for a bug bounty?
How many young computer enthusiasts / aspiring security researchers are motivated to learn more because they see, what to them are, massive payouts.
You or I might not get out of bed for the hourly rate that translates to, fine by me - I have a job that pays the figure I negotiated.
Bug bounty programs pay the market clearing rate, always. One bug, two market participants, one price.