Probably not even worth the time he invested in looking for the bug or writing the post. And is basically nothing compared to the value of "exploiting" this bug.

I would've expected at least a job offer or public praise for his offers. No wonders bug hunting is not attracting enough people.

> And is basically nothing compared to the value of "exploiting" this bug.

Out of interest, how do you think you'd go about monetising this bug?

I agree that the information leakage is definitely bad, but exploiting that to turn it in to cold hard cash seems tricky at best imo. I presume this factors in to Google's payout calculations.

Make a VPN service, market it in China, put this code into the control/account panel, sell data to Chinese government.

And no, how much it could be monetized certainly shouldn't factor into lowering the bounty. Maybe when raising it, since you need to be competing with the black market, but an exploit should be valued only on how much damage it could cause, and getting people disappeared for watching anti-government videos sounds like pretty big damage.

> ...sell data to Chinese government.

I think this part is probably pretty hard and is certainly risky.

Or just sell the exploit on the dark net, where a Chinese state-sponsored hacker would surely find it and buy it. I'm certain China has a pile of crypto somewhere intended for just that.

Bug bounties are ridiculous. If you disclose in an “irresponsible” way you’d get shamed here on HN, and yet we almost never talk about how pitiful the rewards are for “responsible” disclosure (maybe nothing or even legal trouble!).

Honestly, I’m all for irresponsible disclosure if corporations pay irresponsibly low bounties.

We need to disabuse corporations of the idea that they deserve responsible disclosure when they pay paltry sums for serious bugs.

> yet we almost never talk about how pitiful the rewards are

We almost always talk about how pitiful the rewards are, every time someone discloses a pitiful reward. Your post is doing exactly that.

The bounties can actually be rather good. This one just seems disproportionately low.

> Requires user to visit a malicious site

YouTube embeds are such universal things on the web, I doubt anyone would even think twice about security concerns coming from seeing that on a third-party site.

Because it's Google, right? /s

Do you actually need to see it? The exploit should work fine even if the player is not visible.

Strangely, I almost never allow YouTube embeds (or for that matter any embeds) using uMatrix. I click the pop out link that appears in its place.

Nice. What amazes me is how most of big tech's efforts on web development have gone into making you 0.01% more likely to click on an ad, and almost none of has gone into cleaning up the privacy nightmare of 25 years of hacks with clean browser-based protocols.

That's actually a really good idea, I should do that too.. Thanks!

Reminds me of when Google awarded me a whole Nexus 7 tablet for finding a way to run external JavaScript inside of Gmail for Android. The exploit required the user to tap on the email after opening it, which is why it didn't qualify for any money.

Wow. A whole $200 value

Agreed, as an example this could have been exploited by leak sites to get unlisted videos prior to public announcements/launches.

Unlisted? This also seems to apply to private videos? There was a recent exploit that let you copy private videos frame by frame if you had the address.

That's barely worthy the time to create a proof of concept and write up the bug, let alone all the time spent understanding and finding it in the first place. A full time engineer costs Google more than that each day.