I actually agree $20K would seem fairer here, but to answer your question, one reason it may not correlate closely is that you're only referring to the demand side, ie how valuable is this discovery to Google?
The compensation level also comes down to the supply side - how many other people might have discovered this bug shortly after this?
For this reason, there's probably a good argument to increase the reward according to how long the vulnerability was present, to the extent that's knowable. (More so with an open source libraries under version control than a website.)
The compensation level also comes down to the supply side - how many other people might have discovered this bug shortly after this?
For this reason, there's probably a good argument to increase the reward according to how long the vulnerability was present, to the extent that's knowable. (More so with an open source libraries under version control than a website.)