"...and handed the duo US$500 by way of thanks."
Perhaps I'm being a little bit paranoid, but the amount awarded seems designed to discourage security researchers. Either that or G is pathologically tightfisted. Seriously, US$500?
Security probers Patrik Fehrenbach and Behrouz Sadeghipour have found a (since-patched) flaw in Google Apps that allowed criminals to register corporate domains and send white-listed phishing emails from admin addresses. The Choc Factory patched the flaw and handed the duo US$500 by way of thanks. the flaw meant attackers …
Mephisto, you raise a very good point: How much is a security flaw worth? Should the award be based on the severity of the flaw, how much it would be worth on the black market, the amount of time that went into discovering and documenting it, what the company can afford to pay, or something else? Too, Google's behavior raises more general questions such as to how long to wait before disclosing flaws to the public is acceptable.
Perhaps someone ought to set up an organization to independently rate and track security vulnerabilities. What could make it better? Perhaps, if MITRE were funded by industry rather than government, paid for the discovery of flaws for all members, and had consistent standards for payment, reporting, et cetera... Nah, that would be too much like right.
I believe Google is actually among those who pay the biggest prizes; they were also in the firsts to do it at all. Until two years ago, finding a critical security bug in Windows earned you a heartfelt thank you.
I believe that in this case, the small sum indicates rather they don't consider the exploit (circumventing spam filters) to be critical.
Since the exploit also allows phishing links into the message, it's a bit more than just circumventing spam filters.
As for your claim that Google is good because the others are even worse, sorry that dog don't hunt.