How much Alphabet makes is almost irrelevant. The incentive here should be for security researchers. As long as there's enough incentive for security researchers to continue to report the bugs they find (which must be balanced against the potential payment a criminal could get if exploiting the bug, which is not directly correlated to the company's income either, at least not necessarily), the payment is appropriate.
To be fair, goog has to pay comparable to other 3rd party brokers, and not necessarily "potential payment by exploiting the bug". Finding an exploit and being able to deploy it for financial gains are two distinct problems, with separate skillsets, risks, etc.
Plus there are some other benefits of disclosing to goog. After you get into VRP you get access to grants & stuff and can basically ask to study a problem and get funded for that effort. Being able to blog about it, pad your experience, etc etc. All while not having to look over your shoulder for 3 letter agencies your whole life :)
You think state intelligence agencies don’t hack whitehats for their 0days?
You know there’s ongoing and plausible efforts by at least 3 organizations to conquer the Earth, right?
> How much Alphabet makes is almost irrelevant.
While I embrace the downvotes, I disagree. From my pov, the amount of money paid should factor in the anticipated risk for your business. If a privilege escalation means that Google takes a massive hit in Ad Revenue, than this should be factored in.
Why would it affect ad revenue?
An exploit like this would be abused by somebody who sets up a malicious website to try to take control over somebody's device or otherwise steal secrets from them like keys for cryptocurrencies. These attacks tend to be targeted. Nobody is using an exploit like this to create an ad blocker or even to do ad fraud.
The only risk to revenue here is reputational, and I think that it is likely that the existence of this bug would be less widely known if the bounty program didn't exist and the bug was sold on the black market.
> the amount of money paid should factor in the anticipated risk for your business. If a privilege escalation means that Google takes a massive hit in Ad Revenue, than this should be factored in.
Given this exploit, that would probably lower the payout. There are absolutely tons more sandbox escapes in Chromium engine right now (here's a fun list of previous ones, none of which cost them ad rev[1]), and they're not adversely affecting Google's ad revenue. No company is pulling ads because Chrome has a vuln.
This wouldn't even be the kind of reputational hit that something like SolarWinds was.
[1]: https://github.com/allpaca/chrome-sbx-db