[elldoubleyew]

I firmly believe that a government intelligence operation would be willing to pay far more than 75k for this.

[saagarjha]

Bug bounty payouts are not meant to match what you can get on the black market.

[mulmen]

That seems like a major flaw in bug bounties then. What else could they be competing with?

[saagarjha]

There's more to the black market than just money: you often need to deal with unscrupulous individuals (possibly a couple of levels removed) and risk going to jail. The bounty incentivizes researchers to research and disclose, not disincentive people who were going to sell them anyways (who will pay whatever it costs to get these anyways).

[Talanes]

The black market responds to the legal markets. Unless you think that these companies can ultimately win a bidding war against black market actors, trying too desperately to win over the black hats will just enrich them further.

[save_ferris]

I disagree, they’re designed to incentivize people not to sell such secrets on the black market. If this wasn’t true, these programs wouldn’t exist.

They’ve just gotten used to banking on people taking much less than black market value in order to avoid legal complications.

[saagarjha]

They're designed to disincentivize moral people from selling such secrets on the black market, and show that companies care about fixing bugs. Authoritarian governments will always be more than willing to offer large sums of money for such exploits.