> One would imagine that this would have been escalated to some pretty senior security folks at Google before the payout was decided.
Bug bounties are routine. "How much do you want to pay out" is way down the list of things that leadership is focused on for these things. "How do we mitigate this" and "how does the researcher get paid" are often questions owned by different people and teams. Directors aren't swooping in to make payout decisions.
Bug bounties are routine. "How much do you want to pay out" is way down the list of things that leadership is focused on for these things. "How do we mitigate this" and "how does the researcher get paid" are often questions owned by different people and teams. Directors aren't swooping in to make payout decisions.