Stealing Facebook access_tokens using CSRF in device login flow

[zimbatm]

I don't think you can infer that all the researcher's finding would be critical bugs in one of the big companies (that pay well). It probably follows a normal distribution where most of the time it's non-critical bugs in medium-sized companies.