I wonder what is the rationale behind setting the bounty so (ridiculously) low?
If they want to attract the best crackers to pen-test their apps and convince them to sell their findings to google instead of someone else, then why not declare "up to 1 million" for a serious vulnerability?
It's not like they couldn't afford that, nor that they would have to actually pay it out very often. Surely a mainstream headline "Google pays $1mio bounty to protect user security" is generally more welcome than "Russian phishing gang paid $1mio for the exploit that was used to steal from thousands of google users"?
I am skeptical that any Russian phishing gang is paying 7 figures for XSS vulnerabilities on random Google properties.
I am equally skeptical that there has ever been a "million dollar" vulnerability sale; that's an order of magnitude higher than the most inflated claim I've heard for reliable remote code execution flaws on Windows.
Note that for $500,000 --- half your bounty --- Google could get any security team in the business to find horrible things in any of their platforms. $500k buys a meaningful project from anyone from Cryptography Research to iSec Partners to Mark Dowd or Dino Dai Zovi.
I think you're just throwing drama-spaghetti at the wall. It's not going to stick. While it's true that most pro vuln researchers aren't going to stop everything to go after $500 XSS vulnerabilities, I'd challenge you to find one of them that thinks a $500 XSRF is a "slap in the face".
(I can only speak for myself, my friends, and my team members when I say that nobody I know thinks this).
A million dollars for a web app flaw is a wildly inappropriate number. I think you missed the part of my response where I said that half that amount gets you many, many weeks of Mark Dowd and Dino Dai Zovi. How much do you think Michal Zalewski and Neel Mehta make? I bet it's less than $500k. So: why would they be offering six figures for individual flaws again?
The market for app security research is hopping, but it's not that hopping.
So: why would they be offering six figures for individual flaws again?
And it seems you missed the part where I said that I'm naturally not expecting them to pay out six figures for just any minor flaw.
The idea is to convince anyone who finds an actionable flaw that it's more worthwhile to sell that to google, rather than thinking of more creative ways to turn it into money.
I believe this kind of crowd-sourcing would be more effective than any security team could possibly get. I'd venture the guess that the large majority of people who are pen-testing google properties every day is not employed at some security firm.
Probably just to save wasted time. Imagine the number of people calling and saying "I've got a Bug! I won't tell you until you agree to pay $500,000 for it". It would get absurd.
If they want to attract the best crackers to pen-test their apps and convince them to sell their findings to google instead of someone else, then why not declare "up to 1 million" for a serious vulnerability?
It's not like they couldn't afford that, nor that they would have to actually pay it out very often. Surely a mainstream headline "Google pays $1mio bounty to protect user security" is generally more welcome than "Russian phishing gang paid $1mio for the exploit that was used to steal from thousands of google users"?