Key learning from this report

• Incomplete reports do not pay much bounty if they are not fully explained; an SQL injection vulnerability is always rewarded and deemed most critical, but this report was not sufficient so it attracted a smaller reward
• SQL injection vulnerabilities are not necessarily hard to find and exploit; it is just a matter of spending time and looking for these vulnerabilities