[verganileonardo]

Probably not even worth the time he invested in looking for the bug or writing the post. And is basically nothing compared to the value of "exploiting" this bug.

I would've expected at least a job offer or public praise for his offers. No wonders bug hunting is not attracting enough people.

[remus]

> And is basically nothing compared to the value of "exploiting" this bug.

Out of interest, how do you think you'd go about monetising this bug?

I agree that the information leakage is definitely bad, but exploiting that to turn it in to cold hard cash seems tricky at best imo. I presume this factors in to Google's payout calculations.

[franga2000]

Make a VPN service, market it in China, put this code into the control/account panel, sell data to Chinese government.

And no, how much it could be monetized certainly shouldn't factor into lowering the bounty. Maybe when raising it, since you need to be competing with the black market, but an exploit should be valued only on how much damage it could cause, and getting people disappeared for watching anti-government videos sounds like pretty big damage.

[remus]

> ...sell data to Chinese government.

I think this part is probably pretty hard and is certainly risky.

[franga2000]

Or just sell the exploit on the dark net, where a Chinese state-sponsored hacker would surely find it and buy it. I'm certain China has a pile of crypto somewhere intended for just that.