The bounty amount seems exceptionally low in light of the experience of the reporter, the security budget of the reportee, and the severity of the bug.
It seems to me another zero on the end would be appropriate.
Fifteen thousand dollars to report a bug in a PAM module that you need a local account to exploit? That is excessive. I don't think a professional would get paid that much for an audit of the project (and they didn't hire one, this just one bug report)
The public release of the report (where the bounty hunter talks extensively about the right and wrong ways to fix the issue) is a nice feather to put in your cap, even if the cash is not a lot.
To the extent this is true, those others aren't paying the bounty. Uber, who is paying, probably has fairly limited exposure to the bug; i.e. one insider impersonating another. To return to the main point, who exactly would pay more for this bug and why?
Apropos whatevs, that is some wild indentation. The block at the bottom, that actually does the connect, none of the code after the if is what it looks like it is. If you know the author, might mention this.
Wow! That bug report and follow-up is absolutely amazing!! If anyone is ever trying to convince a company to release code as open source, this is the best possible example to give.
I highly recommend avoiding PAM if you care about security.
Also, was this written because pam_ssh_agent_auth does not support certificates specifically? If so, why wouldn't they just modify the existing module? Another example of "Hey let's re-engineer the wheel for fun" ?
To expound on this: It's nearly unconscionable for a security-oriented site to mandate JS for basic functionality. There were no alternatives provided, the noscript blurb did not offer a list of domains which were serving the JS, there was no fallback rendering, and so we are forced to trust an unknown party to execute code in a leaky ambient jalopy of security failure.
It seems to me another zero on the end would be appropriate.