It's harder to find, so it's less likely to be noticed and exploited by a bad actor than a glaring issue. My experience has been that this is typical of these programs—you're trying to reward researchers for finding things that are likely to be exploited, so the more arcane bugs are less valuable.
I'm not sure I'd apply that logic if I were Google, though. Smaller companies it makes sense because the threat actors that they are most likely to face are mostly script kiddies who give you at most a day before they get bored and try someone else. Google is another matter, since they're always a target for much more sophisticated attackers.
I'm not sure I'd apply that logic if I were Google, though. Smaller companies it makes sense because the threat actors that they are most likely to face are mostly script kiddies who give you at most a day before they get bored and try someone else. Google is another matter, since they're always a target for much more sophisticated attackers.