> How much Alphabet makes is almost irrelevant.
While I embrace the downvotes, I disagree. From my pov, the amount of money paid should factor in the anticipated risk for your business. If a privilege escalation means that Google takes a massive hit in Ad Revenue, than this should be factored in.
Why would it affect ad revenue?
An exploit like this would be abused by somebody who sets up a malicious website to try to take control over somebody's device or otherwise steal secrets from them like keys for cryptocurrencies. These attacks tend to be targeted. Nobody is using an exploit like this to create an ad blocker or even to do ad fraud.
The only risk to revenue here is reputational, and I think that it is likely that the existence of this bug would be less widely known if the bounty program didn't exist and the bug was sold on the black market.
> the amount of money paid should factor in the anticipated risk for your business. If a privilege escalation means that Google takes a massive hit in Ad Revenue, than this should be factored in.
Given this exploit, that would probably lower the payout. There are absolutely tons more sandbox escapes in Chromium engine right now (here's a fun list of previous ones, none of which cost them ad rev[1]), and they're not adversely affecting Google's ad revenue. No company is pulling ads because Chrome has a vuln.
This wouldn't even be the kind of reputational hit that something like SolarWinds was.
[1]: https://github.com/allpaca/chrome-sbx-db