Yes, this bug is worth more than $5k. To be honest I expected $15k - $20k :) I wanted to write a kind of "complain" to Google, but first I reread a Google Vulnerability Reward Program Rules and understood that Google could not pay me more. Take a look at the table here: http://www.google.com/about/appsecurity/reward-program/index..., YouTube is a "Normal Google application", this bug is in "Logic flaw bugs leaking or bypassing significant security controls" category. So that's mean that Google rewarded me a maximum reward - $5,000 :)

Facebook has not got a boundary for maximum reward, so they can pay as much as they want…