I hope you get the bounty.
Bugs will always come up in systems as large as theirs, and it is nice to speak to as team so receptive to reports.
This bug was literally the exact reason I did not acctualy want to connect my YouTube account to google plus. But there was no real choice more like, take it or leave it.
My oldest and most-used Google account (formerly known as a Gmail account), I refuse to Google+ify, as long as I can. For reasons like the OP situation and others.
A while back, I needed to use Hangouts. I +ified another Gmail account that I used for a subset of general business contact. If/when it is borked, I can walk away from it. And it doesn't contain data I worry overly about "bleeding".
There are plenty of people who don't want the email address used to log in to these accounts to be public.
The problem is this bug would have let me easily find out your secret YouTube email address.
On Android, you don't have this choice.
I understand the essence of your point and agree with it to some extent, but I think in this instance I wasn't clear. Google are transparent about their process and let me know they'd vote on it at their next meeting. I've clarified the language in my post.
The idea of an intermediary is an interesting one, certainly for smaller companies. However, for the company to be able to work out the value of the bug, they'd need to know enough details to 'score' the bug such they could maybe find it. Either way, you'd end up needing some trust.
However, the idea of a service to manage all that for small companies is a good idea. It reminds me of the Common Vulnerability Scoring System (http://www.first.org/cvss) for scoring such exploits.
But I also don't see how that would play out. If their offer is too low what would you do then? You can't sell it to someone else as this is most likely illegal and just keeping it for yourself is also not a great choice.
That aside, having another party getting advance knowledge about the bugs is risky: it just gives bad actors a juicy target to infiltrate to get a steady supply of 0-days.
On the flip side, without the bounty programs a lot of people wouldn't be as motivated to dig around to find such bugs.