[lalos]

Don't know the range of their bounty program but seems like this exploit is circumstantial on finding a subdomain which was left hanging. Once they registered that subdomain on their own account, this exploit seizes to be effective by third parties so reproducibility is minimal (subdomain can be registered once). Unless you plan to sell the exploit once to one client or just re-use it once at a time by selling access to it (too much trouble, centralized risk).

[kjaftaedi]

It's not about reproducibility but severity and value.

Offering low bounties for something like this can act as an incentive for people who find something like this to sell it somewhere else.

A bug like this would be orders of magnitude more valuable in the wrong hands.

[psds2]

How can a low bounty act as an incentive?

[kjaftaedi]

This attack could have been used to gain access to any Azure account.

If you knew that Microsoft would pay you a couple thousand for this and the black market would offer hundreds of thousands of dollars. It could influence a decision to not report the vulnerability to the developer.

[psds2]

I don't see how your explanation shows Microsoft creating the incentive. Your argument seems to amount to "Microsoft is not creating a sufficient disincentive." The problem with creating a sufficient disincentive is that you draw a lot of attention and still run the risk of being outbid when a vulnerability is discovered.