TFA: "In addition, the most sinister exploiters (e.g. a repressive regime) of such a bug would likely have a list of people they cared about identifying (which they could also narrow down based on your location and other factors)."
Wouldn't such orgs (or their vendors) pay at least $1k to find the people they want? I don't know what the right formula is to calculate bounty vs. expected black market value, but you only said nobody would buy it at all.
My semi-educated guess at the answer to your question: no, China or Bahrain or whoever is not going to pay this guy $1000 for the differentiated error to a cross-domain request to Facebook; also, it's pretty hard to believe that there aren't 100 other ways to accomplish this attack, especially if you're a "global passive adversary" and can use traffic-analytic attacks to conduct it.
It's worth finding and fixing these problems, and that's what happened here. It is not a significant economic event, though, and it would be a surprising departure from normal payouts on bounties to see this get much more money than it did. The only reason it was surprising Google didn't pay out for the same bug is that it's Google --- most sites would assign this bug $0.
> no, China or Bahrain or whoever is not going to pay this guy $1000 for the differentiated error to a cross-domain request to Facebook
Feels like a strawman.
You know what they say about selling - solutions, not features.
This isn't a 'cross-domain request' any more than Stackoverflow is a UI on top of 'select * from Questions order by Date desc'
It's a visitor identification system.
That said - I have no idea if this solution is something people will pay for. Especially given it needs an exploit that can be fixed once by one company and instantly sealed.
Wouldn't such orgs (or their vendors) pay at least $1k to find the people they want? I don't know what the right formula is to calculate bounty vs. expected black market value, but you only said nobody would buy it at all.