[tommi]

I bet Blackhat Vulnerability Program would've payed lot more.

[tptacek]

For XSS? No.

[xSwag]

With CPA + FB traffic on such a large scale, one could easy make $50k+ in a week with multiple CPA networks.

[tptacek]

Knowing what little I do about the market for browser code execution vulnerabilities, I am very skeptical that there is a black hat market that pays 5 figures for XSS.

[kmfrk]

Of course it would. That's the idea of blackhat.

[rmc]

That goes against some people's conscience and they would find it immoral to do the wrong thing.

(i.e. you won't get that warm fuzzy feeling of doing the right thing with the blackhat market)

[raverbashing]

Do they give you a CC number you can use as much as you want?

[lucian303]

Yeah, the OP is a really nice person. Because FB doesn't deserve this, not for $3.5k, maybe for $35k but more for around $350k to $3.5m. Guaranteed by contract.