Was a bounty awarded for reporting this vulnerability?
We define a bounty as a monetary award given by the development team to a researcher who discovered a vulnerability. Bounties garner a wide variety of monetary rewards, depending on a variety of factors. The severity of the vulnerablity at the time of its discovery is a main driver [1,3], however.
Bounties also create an interesting economy that competes with the black-hat economy of a vulnerability [2]. Knowledge of a vulnerability can be very profitable for attackers. So software companies will defray this cost by giving out bounties. Thus, bounty awards are inextricably linked to their black market value.
Below are some interesting publications on the topic of bug bounty programs and vulnerabilities.
* [1] Mingyi Zhao, Jens Grossklags, and Peng Liu. 2015. An Empirical Study of Web Vulnerability Discovery Ecosystems. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS '15). ACM, New York, NY, USA, 1105-1117. DOI: https://doi.org/10.1145/2810103.2813704
* [2] Serge Egelman, Cormac Herley, and Paul C. van Oorschot. 2013. Markets for zero-day exploits: ethics and implications. In Proceedings of the 2013 New Security Paradigms Workshop (NSPW '13). ACM, New York, NY, USA, 41-46. DOI: https://doi.org/10.1145/2535813.2535818
* [3] Nuthan Munaiah and Andrew Meneely. 2016. Vulnerability severity scoring and bounties: why the disconnect?. In Proceedings of the 2nd International Workshop on Software Analytics (SWAN 2016). ACM, New York, NY, USA, 8-14. DOI: https://doi.org/10.1145/2989238.2989239