Some reports we receive note that HTTP cookies that are manually extracted from the browser and then replayed to the server continue to work for some time after logging out. This kind of finding usually refers to some of our less sensitive services and acquisitions, as most of our high impact services are designed to eliminate this possibility.

Nevertheless, we believe that most situations that are cited as potential exploitation vectors for this behavior fall outside of the security model of modern browsers and operating systems, and can't be meaningfully mitigated by any single website. We discuss this in more detail in our article that deals with the behavior of "back" buttons in our apps.

Conclusion

For pragmatic reasons, with the exception of a handful of high-risk services (e.g. Google Wallet or Gmail), reports of this type don't qualify for credit or rewards.