When evaluating reports of cross-site request forgery (CSRF) or clickjacking vulnerabilities, we always try to understand the impact they may have when actually exploited. If a successful attack does not change the state of your Google account in any way, or if the change is very inconsequential, the report will usually not qualify for a reward.

Similarly, cross-site request forgery for actions that do not require authentication, or that can only be performed using other, unpredictable values (passwords, secret invitation codes, etc.) are often also deemed to be non-issues.

Conclusion

As with many other types of security issues, it is always helpful to think about how such a vulnerability could be used in an attack and what would be gained by leveraging it. If you are unsure, we may have a hard time evaluating the report :-).

The moral of the story: reports of CSRF or clickjacking that carry no value for potential attackers do not qualify for a reward or credit.