[libber]

A non-vulnerability like this is a good example of how easy it is to get press for $important_company + security.

Top of hackernews at the moment and fingers crossed there wont be a wave of articles about this in the coming days from tech press who don't fully understand the issue but know clicks when they see them.

[mixedCase]

A non-vulnerability? I understand how you could call it non-serious if you don't work on user-oriented code or think all users have perfect periferic vision all the time. But how do you explain the purpose for the check that fails any non-google domain then?

[ejcx]

Not only to GET press, but also to PRESS the company for $.

This is a huge problem I see with bugbounties. People running the bug bounties, who are not appsec security literate, are basically bullied in to thinking that something is a security risk when it is not quite often.

I deal with people trying to do this 10-15 times per week. I can totally see how people get pushed in to paying thousands for essentially worthless bugs.