[jonknee]

> If they are getting work done for the amounts paid, why pay higher?

To incentivize people to tell them and not sell it to hackers? Because these sorts of things are very valuable to Facebook and they have gobs of money? Because a higher total would make more people interested in looking for issues?

[argonaut]

95% of people are incentivized enough to not sell to hackers by the incentive of not becoming a criminal.

[wildmusings]

I don't believe it's illegal to sell vulnerabilities.

[jonknee]

Governments also buy zero days.

[sbarre]

Sure just walk into an embassy with a Flash drive, I'm sure they've got sacks of doubloons in a basement safe just waiting for someone like you..

[corobo]

If anything it's to give people the incentive to actually flesh out a bug report and send it to them. I really have no idea where everyone's getting this "The black market will pay billions!" idea from.

Facebook is a closed system, an exploit there is worth precisely nada. Any use of it for monetary gain will be shut down fast and probably audit-logged to find you. Find an exploit kernel-level that allows you to execute any command you want at any administrative level on Windows/Linux/etc which allows people to drastically increase their botnet size? That'll get you some cheese.