[rl3]

>Is the value of a sledgehammer equal to the value of a car?

My previous post was poorly worded; I didn't mean to imply equality.

To use your analogy, valuing a serious vulnerability on a platform that has 1.65B users in the $5-10k range is tantamount to selling a 30lb sledge hammer for a dollar.

[ponyfleisch]

But what if producing a sledgehammer only cost 50 cents? Then people would sell sledgehammers for a dollar or less.

[rl3]

Rather than torture this analogy further:

Obviously exploit pricing is generally efficient and adheres to free market principles. That said, it's hypothetically possible that an exploit against a large tech company could sell for far more if the circumstances are right, considering the price to damage ratio is so skewed in addition to the unique nature of each exploit.

Therefore, large tech companies don't really have much to lose by paying far more than they currently do on bounties.

Granted, eliminating what's largely a hypothetical edge case is not the primary benefit to paying higher; incentivizing far more white hat researchers is.