You can disagree, but you're wrong. The kinds of people who watch dark marketplaces for exploits are not dreaming of the super interested information they can get off a random backoffice system.
One time, about 15 "bug bounties are a ripoff" threads ago, someone actually made a non-ironic case for a high valuation for logout CSRF bugs. A competing image service could employ it to ruthlessly log users out, degrading service and jacking up their own signups. A logout CSRF. That's the kind of logic we're talking about here.
One time, about 15 "bug bounties are a ripoff" threads ago, someone actually made a non-ironic case for a high valuation for logout CSRF bugs. A competing image service could employ it to ruthlessly log users out, degrading service and jacking up their own signups. A logout CSRF. That's the kind of logic we're talking about here.
Nobody buys these kinds of bugs speculatively.