What if someone else was offering $10,000 for Facebook bugs, so they could exploit them? This bug could probably result in more than $5,000 in damages to the Facebook brand.
>Is the value of a sledgehammer equal to the value of a car?
My previous post was poorly worded; I didn't mean to imply equality.
To use your analogy, valuing a serious vulnerability on a platform that has 1.65B users in the $5-10k range is tantamount to selling a 30lb sledge hammer for a dollar.
Obviously exploit pricing is generally efficient and adheres to free market principles. That said, it's hypothetically possible that an exploit against a large tech company could sell for far more if the circumstances are right, considering the price to damage ratio is so skewed in addition to the unique nature of each exploit.
Therefore, large tech companies don't really have much to lose by paying far more than they currently do on bounties.
Granted, eliminating what's largely a hypothetical edge case is not the primary benefit to paying higher; incentivizing far more white hat researchers is.
The problem with valuing bugs at their damage potential is that the total damage potential of all bugs in any given product is almost certainly magnitudes greater than the total value of the product itself.
People always say this but where would you go to find such a buyer? If you could find someone who would purchase it from you, would you process to then sell it to them?
If you can't find a buyer and/or would most likely be unwilling to commit a crime, it's a moot point.