[a_imho]

The black market is a false dichotomy. Either you need the money for your work, then negotiate a reasonable price, or you don't, then disclosing it for free might actually helps someone not to be lowballed by BigCo the next time.

There really should be a bug marketplace, instead of one side having all the power and paying pennies.

[tptacek]

Markets aren't magical. They route resources, they don't create them from thin air. If Facebook is ultimately the only organization that realizes $5000+ in value from a vulnerability, then no matter how you structure the marketplace, it isn't going discover a higher price for that flaw.

If you believe otherwise, you're missing a business opportunity. Go create a "bug market" for Facebook and Google serversides. It's not illegal to buy vulnerabilities, or to sell them (so long as you're reasonably sure they're not going to be used as part of a specific criminal enterprise --- but don't worry, if you stick a $5000 price tag on a serverside bug, or even a $500 price tag, you can be pretty sure it won't be used by criminals).

[a_imho]

By submitting a bug through a bug bounty system you place the reward into Facebook's hands. Following the same argument you can say they can offer $1, because they are the only organization interested in the bug. After all exploiting a vulnerability puts you on the wrong side of the law.

However I do believe saying you discovered a pretty serious bug by putting it on a market sends a strong message. Your system is vulnerable and you are too cheap to pay up.