Why? There's no market for this bug. Nobody else will buy it. If you found an equivalent bug in, say, Grubhub, nobody would think it was worth much more than a token bounty. Is it just because Facebook is a big company and can afford to pay more for every bug, or is there a particular reason you think this bug is super valuable?
TFA: "In addition, the most sinister exploiters (e.g. a repressive regime) of such a bug would likely have a list of people they cared about identifying (which they could also narrow down based on your location and other factors)."
Wouldn't such orgs (or their vendors) pay at least $1k to find the people they want? I don't know what the right formula is to calculate bounty vs. expected black market value, but you only said nobody would buy it at all.
My semi-educated guess at the answer to your question: no, China or Bahrain or whoever is not going to pay this guy $1000 for the differentiated error to a cross-domain request to Facebook; also, it's pretty hard to believe that there aren't 100 other ways to accomplish this attack, especially if you're a "global passive adversary" and can use traffic-analytic attacks to conduct it.
It's worth finding and fixing these problems, and that's what happened here. It is not a significant economic event, though, and it would be a surprising departure from normal payouts on bounties to see this get much more money than it did. The only reason it was surprising Google didn't pay out for the same bug is that it's Google --- most sites would assign this bug $0.
> no, China or Bahrain or whoever is not going to pay this guy $1000 for the differentiated error to a cross-domain request to Facebook
Feels like a strawman.
You know what they say about selling - solutions, not features.
This isn't a 'cross-domain request' any more than Stackoverflow is a UI on top of 'select * from Questions order by Date desc'
It's a visitor identification system.
That said - I have no idea if this solution is something people will pay for. Especially given it needs an exploit that can be fixed once by one company and instantly sealed.
If you participate in a bug bounty program you already decided you will not sell it on The Market. As such you should be payed for your effort and time at least. Otherwise you sell it to whoever pays more (on The Market).
If you read how much effort is put into just reporting the bug, that will come close to a half month at least. Is $1000 half a security research's salary?
That is a strange way of thinking about it. Should not Facebook instead incentivize the kind of bug they are interested in, rather than caring how long time it took to find?
They should evaluate fairly how much damage that bug would produce if used by bad actors and pay a percent of that. This is how I see it. Otherwise they are just relying on someone's passion and ethic to stay safe.
