Maybe. But for anyone to make money off it, they'd need to be willing to be or work with a criminal, right? If they are getting work done for the amounts paid, why pay higher?
If you're working on Facebook security, is that a bet you're willing to take?
People might mostly take what they're offered, have it amount to a decent enough hourly rate but there will be that one in ten or one in a hundred unhindered by moral and/or legal considerations.
At that point, it turns into a cost calculation - perhaps it would indeed be cheaper to pay tenfold or more to a hundred people than have just one sell their bug/exploit/whatever to another, more interested buyer?
> If they are getting work done for the amounts paid, why pay higher?
To incentivize people to tell them and not sell it to hackers? Because these sorts of things are very valuable to Facebook and they have gobs of money? Because a higher total would make more people interested in looking for issues?
If anything it's to give people the incentive to actually flesh out a bug report and send it to them. I really have no idea where everyone's getting this "The black market will pay billions!" idea from.
Facebook is a closed system, an exploit there is worth precisely nada. Any use of it for monetary gain will be shut down fast and probably audit-logged to find you. Find an exploit kernel-level that allows you to execute any command you want at any administrative level on Windows/Linux/etc which allows people to drastically increase their botnet size? That'll get you some cheese.
I guess the reasoning would be that some hackers probably have found vulnerabilities they'd rather sell on the black market for 50K than sell to Facebook for 5K.
Who is paying 50k for these things? A while back the Hacking Team dumps showed very low prices. Zero days in widespread desktop systems were like 100k. Why would a remote service flaw that can be fixed at a moment's notice be worth much more?
How do you recoup 50k on FB? Not a theoretical "I'll hack Tom Cruises' pictures and blackmail him" but an actual demonstrated business model.
Didn't the HT leaks show vulns that'd be sold to anyone? An online service hack just wouldn't command the same pricing. Is there any source/docs to indicate the e.g. NSA pays $50K for this kind of vuln?
Also note that the majority of government entities can just legally request information.
>Is there any source/docs to indicate the e.g. NSA pays $50K for this kind of vuln?
If anything smaller governments without in-house vulnerability research would be more willing to pay large amounts.
>Also note that the majority of government entities can just legally request information.
The kind of governments that would be interested in exploiting Facebook probably aren't the kind that could legally request the information in the first place.
People might mostly take what they're offered, have it amount to a decent enough hourly rate but there will be that one in ten or one in a hundred unhindered by moral and/or legal considerations.
At that point, it turns into a cost calculation - perhaps it would indeed be cheaper to pay tenfold or more to a hundred people than have just one sell their bug/exploit/whatever to another, more interested buyer?