Vulnerabilities will always sell for more on the black market because there’s an added cost for asking people to do immoral and likely illegal things. Comparing the two is meaningless.
To give a straightforward answer: no, I don’t think $20k is underpaid. The severity of a bug isn't based on how it could theoretically affect people but on how it actually does. There's no evidence this is even in the wild, and based on the description, it seems complicated to exploit for attacks.
No, it's priced on demand and supply like anything else; bug bounties are priced to be the amount that Google thinks it takes to incentivise hunters to sell it to them, vs. to black hats.
Not everything is priced on demand and supply -- at least not strictly.
Of course the potential of abuse is part of the equation, but I think Google (or similar large companies) simply has a guideline of how the amount of the bounty is decided, than surveying the market to see what its "actual value" is. It's not exactly a free market, at least not on Google's side.
(But yea, I think lots of people would sell exploits to criminals for enough money.)
Your principles will be gone by the time the 10th company starts to sue you for a public disclosure you did in good faith.
There's a reason why nobody wants to use their real name and creates new aliases for every single CVE and report.
Principles are discrepancies with the law, they don't exist. If the law dictates a different principle than your own one, guess what, you'll be the one that is in jail.
Whistleblower protection laws are a bad joke, and politicians have no (financial) incentives to change that.
You should complete the sentence: “It’s priced based on demand and supply in legal markets like anything else.”
There are, of course, other markets where things like this are traded, but that’s a different story. That said, I think the author is free to negotiate further with Google if they believe it’s worth it.
You are essentially been paid to fill out forms and keep your mouth shut.
--
GP wouldn't sell their discoveries to the criminals. But would they consider selling them to a third party as an intermediary, perhaps one that looks very much above board, and specializes in getting rewards from bug bounties in exchange for a percentage of payout?
I don't know if such companies exist, but I suspect they might - they exist for approximately everything else, it's a natural consequence of specialization and free markets.
Say GP would say yes; how much work would they put into vetting the third party doesn't double-dip selling the exploit on the black market? How can they be sure? Maybe there is a principled company out there, but we all know principled actors self-select out of the market over time.
Or, maybe GP wouldn't sell them unless starving, but what if agents of their government come and politely ask them to share, for the Good of their Country/People/Flag/Queen/Uniform/whatever?
Or, maybe GP wouldn't sell them unless starving, but what is their threshold of "starving"? For many, that wouldn't be literally starving, but some point on a spectrum between that and moderate quality-of-life drop. Like, idk, potentially losing their home, or (more US-specific I guess) random event leaving them with a stupidly high medical bill to pay, etc.
With all that in mind, the main question is: how do you know? How does Google know?
The reason people take an economic view of the world is because it's the only tool that lets you do useful analysis - but unlike with the proverbial hammer that makes everything look like a nail, at large enough scale, approximately everything behaves like a nail. Plus, most of the time, it only takes one.
GP may be principled, but there's likely[0] more than one person making the same discovery at the same time, and some of those people may not be as principled as GP. You can't rely on only ever dealing with principled people - like with a game of Russian roulette, if you pull the trigger enough times, you'll have a bad day.
--
[0] - Arguably, always. Real breakthrough leaps almost never happen, discoveries are usually very incremental - when all the pieces are there, many people end up noticing it and working on the next increment in parallel. The first one to publish is usually the only one to get the credit, though.
But if you don't pay people enough in the first place... then they're just going to spend their time doing other things that actually do pay and your bugs won't get caught except by those who are specifically trying to target you for illicit purposes.
He got nothing. No money at all. The CEO pretended to have forgotten every verbal agreement.
You only need to experience that kind of thing once to change your mind.
The more interesting question would be, if the bug bounty is enough to keep legitimate researchers engaged to investigate and document the threats. But..
The bug bounty itself is only a drop in the bucket for security companies, as it's a, unsteady and b, not enough to cover even trivial research environment cost.
Pratcially it's a nice monetary and reputation bonus (for having the name associated with the detection) in addition to the regular bussiness of providing baseline security intelligence, solutions and services to enterprises, which is what earns the regular paycheck.
Living from quests and bonties is more the realm of fantasy.
From a speech perspective, if I discovered an exploit and wrote a paper explaining it, what law prevents me from selling that research?
https://www.law.cornell.edu/uscode/text/18/1029 gives the definition and penalties for committing fraud and/or unauthorized access, and it includes the development of such tools.
A lot of it includes the phrasing "with intent to defraud" so it may depend on whether the court can show you knew your highest bidder was going to use it in this way.
(apologies for citing US-centric law, I figured it was most relevant to the current discussion but things may vary by jurisdiction, though probably not by much)