This is a very persistent meme that is ultimately incorrect. You can't judge the value of a vulnerability by how large its host company is, or even by its severity.
In the security industry we use the term "vulnerability half-life" for this purpose. Basically, a bug in Google will be discovered between a day and a week after it is first exploited instead of reported. If you try to commercialize it, it will quickly be discovered because the top tech companies have the best incident response teams in the world.
Once the flaw is patched once in Google, it's effectively patched. Game over for the attacker. Compare this to a vulnerability like Heartbleed that is actually worth money - critical flaw that can compromise over a third of all the servers on the entire internet. If that vulnerability is patched anywhere, it's not patched everywhere, unlike a single web application instance in Google.
The greater the half life, the greater the value of the vulnerability. A vulnerability in Java is worth money because it will still exist in the wild for years, providing consistent income and ROI for a purchased exploit.
A vulnerability in Facebook is worth money to Facebook for brand integrity, but it isn't worth much to blackhat groups. You could theoretically commercialize it, but not quickly enough or in a meaningfully consistent or lucrative enough way to really make it worth the hassle.
In the security industry we use the term "vulnerability half-life" for this purpose. Basically, a bug in Google will be discovered between a day and a week after it is first exploited instead of reported. If you try to commercialize it, it will quickly be discovered because the top tech companies have the best incident response teams in the world.
Once the flaw is patched once in Google, it's effectively patched. Game over for the attacker. Compare this to a vulnerability like Heartbleed that is actually worth money - critical flaw that can compromise over a third of all the servers on the entire internet. If that vulnerability is patched anywhere, it's not patched everywhere, unlike a single web application instance in Google.
The greater the half life, the greater the value of the vulnerability. A vulnerability in Java is worth money because it will still exist in the wild for years, providing consistent income and ROI for a purchased exploit.
A vulnerability in Facebook is worth money to Facebook for brand integrity, but it isn't worth much to blackhat groups. You could theoretically commercialize it, but not quickly enough or in a meaningfully consistent or lucrative enough way to really make it worth the hassle.