> And is basically nothing compared to the value of "exploiting" this bug.
Out of interest, how do you think you'd go about monetising this bug?
I agree that the information leakage is definitely bad, but exploiting that to turn it in to cold hard cash seems tricky at best imo. I presume this factors in to Google's payout calculations.
Make a VPN service, market it in China, put this code into the control/account panel, sell data to Chinese government.
And no, how much it could be monetized certainly shouldn't factor into lowering the bounty. Maybe when raising it, since you need to be competing with the black market, but an exploit should be valued only on how much damage it could cause, and getting people disappeared for watching anti-government videos sounds like pretty big damage.
Or just sell the exploit on the dark net, where a Chinese state-sponsored hacker would surely find it and buy it. I'm certain China has a pile of crypto somewhere intended for just that.
Out of interest, how do you think you'd go about monetising this bug?
I agree that the information leakage is definitely bad, but exploiting that to turn it in to cold hard cash seems tricky at best imo. I presume this factors in to Google's payout calculations.