Yeah, both from the same program. If you are talking about article: Email and home address disclosure using unauthenticated API endpoint worth $500 then $500 because the booking_id is random hash which is not bruteforcable and there is no API to fetch other users booking_id. I found few booking ID in wayback url.